Snort mailing list archives

Re: snort3: reject rule problem

From: "Russ Combs \(rucombs\) via Snort-devel" <snort-devel () lists snort org>
Date: Thu, 26 Sep 2019 11:36:33 +0000

Take a look at the active module.  Try configuring active.min_interval.

Russ

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Meridoff via Snort-devel <snort-devel () lists 
snort org>
Reply-To: Meridoff <oagvozd () gmail com>
Date: Wednesday, September 25, 2019 at 5:39 PM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] snort3: reject rule problem

Hello

I have reject rule that send Port unreachable for ping.

It's Ok, but only for 1st packet.

The next ping packets are silently dropped and not detected and not logged.

reject icmp 192.168.0.1 any -> any any ( gid:8000; sid:1; msg:"ping";  )

This happens when stream and stream_icmp inspectors are in config.

If I remove stream {} and/or stream_icmp {} inspectors from snort lua config, then ALL OK: each packet is

dropped, logged and ICMP Port unreach is sending on each dropped packet.

Part of config:

stream={}

stream_icmp={}

reject={control="port"}

Thanks.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

snort3: reject rule problem Meridoff via Snort-devel (Sep 25)
- Re: snort3: reject rule problem Russ Combs (rucombs) via Snort-devel (Sep 26)