[Snort-devel] Snort treat drop rule as Wdrop but still send back ICMP unreachable

朱以静 zhuyijing168 at ...1389...
Fri May 9 04:34:15 EDT 2014


Dear all,
I encountered one problem when I use snort. I configure snort adapter mode to inline and the policy mode to inline_test, then the drop rules should be token as Wdrop, right?


Here is the command line I used to start snort:
snort -b -q -i eth0:eth1 -l /snort.log --daq-dir /lib/daq --daq afpacket -c /etc/snort/snort.conf -Q


And the drop rules I added:
drop icmp any any -> any any (msg: "user defined rules triggered"; sid:28899)


here is the topo:
pc1(eth0) <---> (eth0) Snort (eth1) <---> (eth0)pc2


Then I ping pc2 from pc1:
Snort log the message to /snort.log/alert as Wdrop. And pc1 can get the reply from pc2, but another ICMP unreachable packet also got on pc1 eth0.
here is what I captured.


And my question is why the ICMP unreachable should be sent? Actually the traffic is not dropped, I only want snort to log the message.
The behavior looks strange, right?


Thanks!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140509/4eef4630/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: icmp.png
Type: image/png
Size: 28104 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140509/4eef4630/attachment.png>


More information about the Snort-devel mailing list