[Snort-users] react: block not working

Micheal.Cottingham micheal.cottingham at ...11154...
Fri Feb 6 06:27:08 EST 2004

As per the subject, react: block does not seem to be working. ACID is still picking up the alerts even though react: block is set. An example 
rule is: 

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP Large ICMP Packet"; dsize: > 800; react: block; reference: arachnids, 246; 
side: 499; rev: 3 classtype: bad-unknown;)

I am doing this for other things such as MSSQL Propogation Attempt, NMAP Ping, etc. I especially want to block ICMP Large Packet as the 
TTL's have been modified, and the payload is a bit screwy to say the least. MSSQL Propogation Attempt is another big one on my list. I am in a 
pure windows environment and my boss is not favorable of *nix, so hogwash is out of the question I'm afraid. snort-inline is also just *nix if I 
am not mistaken, is it not? I am using Snort 2.1. Any help would be greatly appreciated.

More information about the Snort-users mailing list