Snort mailing list archives

Re: Sticky-drop

From: Patrick Walsh <pwalsh () esoft com>
Date: Wed, 07 Dec 2005 16:32:02 -0700

    Any thoughts on how I can get my hands on or learn more about
sticky-drop?

I think you are talking about sdrop?


        I'm familiar with sdrop.  My question is in response to this post from
Will earlier today:

sticky-drop in snort-inline can do this.  You could probably
accomplish the same thing with Snortsam In InlineMode(); but I haven't
tried it.


        By which I assume that sticky-drop drops the connection and also drops
future connections from the target IP.

        And then there's this posting by Will from 3/30/05:

The IPS functionality drops or rejects induvidual packets, unless you 
are using the sticky-drop preprocessor from snort_inline-2.3.0-RC1 and
tell it otherwise.


        I did find some related preprocessor files in the
snort_inline-2.3.0-RC1 tree, but those files don't exist in the 2.4.3
tree, nor can I find any documentation on exactly what they do or how to
make use of them...

        Anyone know what this is about or if it works or is supported
somewhere?

-- 
Patrick Walsh
eSoft Incorporated
303.444.1600 x3350
http://www.esoft.com/

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Can I automatically include rules? oink (Dec 06)
- Re: Can I automatically include rules? Will Metcalf (Dec 06)
  - Re: Can I automatically include rules? oink (Dec 06)
  - Sticky-drop Patrick Walsh (Dec 07)
    - Re: Sticky-drop G Ramon Gomez (Dec 07)
    - Re: Sticky-drop Will Metcalf (Dec 07)
    - Re: Sticky-drop Patrick Walsh (Dec 07)
    - Message not available
    - Re: Sticky-drop Patrick Walsh (Dec 07)
    - Re: Sticky-drop Will Metcalf (Dec 07)
    - Re: Sticky-drop Joel Esler (Dec 07)
- Re: Can I automatically include rules? Jason (Dec 06)
- Re: Can I automatically include rules? Nerijus Krukauskas (Dec 06)