Snort mailing list archives

snort3: reject rule problem

From: Meridoff via Snort-devel <snort-devel () lists snort org>
Date: Thu, 26 Sep 2019 00:37:36 +0300

Hello
I have reject rule that send Port unreachable for ping.

It's Ok, but only for 1st packet.

The next ping packets are silently dropped and not detected and not logged.

reject icmp 192.168.0.1 any -> any any ( gid:8000; sid:1; msg:"ping";  )

This happens when stream and stream_icmp inspectors are in config.


If I remove stream {} and/or stream_icmp {} inspectors from snort lua
config, then ALL OK: each packet is
dropped, logged and ICMP Port unreach is sending on each dropped packet.



Part of config:


stream={}
stream_icmp={}
reject={control="port"}

Thanks.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

snort3: reject rule problem Meridoff via Snort-devel (Sep 25)
- Re: snort3: reject rule problem Russ Combs (rucombs) via Snort-devel (Sep 26)