Re: disabling sniping

["Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>]

Reject should send the reset/icmp unreachable. Drop shouldn’t.

08:51:53.939581 IP 10.5.32.125.143 > 10.4.15.120.46590: Flags [R.], seq 9779, ack 311, win 0, length 0
08:51:53.939581 IP 10.4.15.120.46590 > 10.5.32.125.143: Flags [R.], seq 311, ack 9779, win 0, length 0

With the reject keyword I see the resets above. With drop there is nothing in the capture.

Use “--daq dump” to see the traffic. A filed named “inline-out.pcap” should be generated.


From: Snort-users <snort-users-bounces () lists snort org> on behalf of "Graham Bartlett (grbartle) via Snort-users" 
<snort-users () lists snort org>
Reply-To: "Graham Bartlett (grbartle)" <grbartle () cisco com>
Date: Friday, May 3, 2019 at 9:27 AM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] disabling sniping

Hi

I have setup snort in inline mode.

It’s working as planned, but I would like the snort to silently discard dropped traffic, rather than sending an ICMP 
unreachable.

Is there a method to do this ?

I looked at sniping and setting the reply number to 0, but this didn’t seem possible.

<att> ::= (1..20)

Many thanks

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette