Snort mailing list archives
Re: reject is identical to drop
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 7 Jul 2011 10:38:51 -0400
On Thu, Jul 7, 2011 at 4:02 AM, Kevin Ross <kevross33 () googlemail com> wrote:
From the manual:6. drop - block and log the packet 7. reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP. The sending station should receive back a RST packet. On 7 July 2011 01:24, HN Nguyen <nhncontact () gmail com> wrote:I'm using snort (v2.9.0.5) inline with iptables. I have a rule with "reject" action, but when it triggers, no packet is sent back to the sender (tcpdump on all interfaces confirm this). The rule is: reject tcp any any -> any 7 The log shows: 07/07-00:15:19.553113 [Drop][Priority: 0] {TCP} 192.168.41.122:38805 -> 192.168.1.57:7 This is identical to the behaviour when I change the action to "drop". Is there anything I'm missing or doing wrong?
Which DAQ are you using? Do you get any relevant warnings at start up? Did you review README.active?
Thanks. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- reject is identical to drop HN Nguyen (Jul 06)
- Re: reject is identical to drop Kevin Ross (Jul 07)
- Re: reject is identical to drop Russ Combs (Jul 07)
- Re: reject is identical to drop HN Nguyen (Jul 07)
- Re: reject is identical to drop Russ Combs (Jul 07)
- Re: reject is identical to drop Kevin Ross (Jul 07)