[Snort-users] Can i discard a packet when a match accure

Erich Meier Erich.Meier at ...99...
Sat Aug 12 10:56:43 EDT 2000


On Sat, Aug 12, 2000 at 07:20:23AM -0700, Dragos Ruiu wrote:
> On Sat, 12 Aug 2000, Dudi Sterenberg wrote:
> > I would like to know if there is a way to DISCARD or DROP a packet if there
> > is a match. i am not talking about flexresp.
> 
> The "how to write snort rules" document at www.snort.org may be of interest to
> you.  Particularly the part about "pass" rule actions that drop packets.   --dr

I guess, Dudi meant to stop the packet on its way, i.e. by sendig a jam signal
on Ethernet.

No, up to now, snort can not do that. And it would be technically impossible
in some LAN technologies like FDDI, where the packet may already be fully
received by the next hop when snort comes into play.

       ----- Sender ------
dir   |                   |
ect ^ |                Next Hop
ion | |                   |
       ---- Snort Host ---

Erich




More information about the Snort-users mailing list