Re: react: block not working

[Matt Kettler <mkettler () evi-inc com>]

At 09:25 AM 2/6/2004, Micheal.Cottingham wrote:
> As per the subject, react: block does not seem to be working. ACID is 
> still picking up the alerts even though react: block is set. An example
> rule is:
>
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP Large ICMP 
> Packet"; dsize: > 800; react: block; reference: arachnids, 246;
> side: 499; rev: 3 classtype: bad-unknown;)


You probably need to get a MUCH better understanding of what react:block 
does before you use it further.

http://www.snort.org/docs/snort_manual/node16.html#SECTION00374000000000000000

1) react:block is NOT a firewall
2) react:block will NOT stop subsequent attempts
3) react:block will not prevent the current packet alerted on from entering 
your network.
4) react:block does nothing useful when used on ICMP packets.

React:block _does_ however _attempt_ to reset a connection by using the 
flexresp system. This, if successful, prevents any more data in the given 
session from entering your network.... ICMP messages are sessionless, and 
there's little of any value that can be done to them after-the-fact.





-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users