[Snort-users] react: block not working
mkettler at ...4108...
Fri Feb 6 08:05:18 EST 2004
At 09:25 AM 2/6/2004, Micheal.Cottingham wrote:
>As per the subject, react: block does not seem to be working. ACID is
>still picking up the alerts even though react: block is set. An example
>alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP Large ICMP
>Packet"; dsize: > 800; react: block; reference: arachnids, 246;
>side: 499; rev: 3 classtype: bad-unknown;)
You probably need to get a MUCH better understanding of what react:block
does before you use it further.
1) react:block is NOT a firewall
2) react:block will NOT stop subsequent attempts
3) react:block will not prevent the current packet alerted on from entering
4) react:block does nothing useful when used on ICMP packets.
React:block _does_ however _attempt_ to reset a connection by using the
flexresp system. This, if successful, prevents any more data in the given
session from entering your network.... ICMP messages are sessionless, and
there's little of any value that can be done to them after-the-fact.
More information about the Snort-users