snort3: reject rule problem when stream inspector is on

[Meridoff via Snort-users <snort-users () lists snort org>]

Hello
I have reject rule that send Network unreachable for ping.

It's Ok, but only for 1st packet.

The next ping packets are silently dropped and not detected and logged at
all.

My simple Config:
--=========
HOME_NET = "any"
EXTERNAL_NET = "any"
daq={ module_dirs = { "/usr/lib/daq" }, variables = { "queue=1",
"device=ip", "proto=ip4"}, module = "nfq" }
daq.instances = { id = 0, variables = { "queue=1"}  }
ips = { mode = "inline", enable_builtin_rules = false }
wizard = default_wizard
snort["-z"]=1
alert_fast = {file=true}
stream={}
stream_icmp={}
reject={control="port"}
binder={ use = { type = "wizard" } }
ips.rules = [[
                include /var/cache/snort/m.rules
]]
snort["-Q"]=true
--=========
And rule in /var/cache/snort/m.rules:
reject icmp 192.168.33.10 any -> any any ( gid:8000; sid:1;  )

====

If I remove stream {} and/or stream_icmp {} , then ALL OK: each packet is
dropped, logged and ICMP Port unreach is sending on each dropped packet.

Thanks

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette