Re: snort-inline doesn't detect second occurrence

[Rob McMillen <rvmcmil () cablespeed com>]

Dave,
        Thanks for taking the time to provide feedback.  I've taken over 
maintenance for snort_inline from Jed because he has been swamped lately. 

> second and subsequent occurrences of a drop match aren't dropped, but
> simply cruise right on through. Example:

Will take a look at this.

> As a somewhat separate issue, I compiled snort-inline with flex-resp, and
> it doesn't appear that including "resp:rst_all;" actually sends a reset
> (as in, the connection is never shut down, and I don't see any resets on
> the wire). Since there's no mention anywhere of the flex-resp stuff
> working in -Q mode, that may be a moot point at this moment. (Could be
> related to the libpcap not being initiated in -Q mode; maybe libnet isn't
> active at that point either).

The reset code never made it into that version of snort_inline.  The 
Honeynet Project is about to release an updated version that integrates 
the reset code for tcp packets and port unreachable for udp.  The new 
snort_inline should be release early next week.  I'll see if I can 
recreate your problem above and fix it before release.

Thanks,

Rob