[Snort-users] react: block not working

Matt Kettler mkettler at ...4108...
Fri Feb 6 08:05:18 EST 2004


At 09:25 AM 2/6/2004, Micheal.Cottingham wrote:
>As per the subject, react: block does not seem to be working. ACID is 
>still picking up the alerts even though react: block is set. An example
>rule is:
>
>alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP Large ICMP 
>Packet"; dsize: > 800; react: block; reference: arachnids, 246;
>side: 499; rev: 3 classtype: bad-unknown;)


You probably need to get a MUCH better understanding of what react:block 
does before you use it further.

http://www.snort.org/docs/snort_manual/node16.html#SECTION00374000000000000000

1) react:block is NOT a firewall
2) react:block will NOT stop subsequent attempts
3) react:block will not prevent the current packet alerted on from entering 
your network.
4) react:block does nothing useful when used on ICMP packets.

React:block _does_ however _attempt_ to reset a connection by using the 
flexresp system. This, if successful, prevents any more data in the given 
session from entering your network.... ICMP messages are sessionless, and 
there's little of any value that can be done to them after-the-fact.







More information about the Snort-users mailing list