[Snort-users] Error on new Rule

James Riden j.riden at ...11179...
Wed Mar 16 11:22:50 EST 2005

"Kendall Risselada" <krisselada at ...1150...> writes:

> As udp protocol is stateless, I don't know how this would be
> implemented

Send an ICMP destination/host/port unreachable with spoofed source
address, which is what you would get if the port were really closed.

For UDP you should use the latter group, and for TCP the former, IIRC:

    rst_snd    send TCP-RST packets to the sending socket
    rst_rcv    send TCP-RST packets to the receiving socket
    rst_all    send TCP_RST packets in both directions

    icmp_net   send a ICMP_NET_UNREACH to the sender
    icmp_host  send a ICMP_HOST_UNREACH to the sender
    icmp_port  send a ICMP_PORT_UNREACH to the sender
    icmp_all   send all above ICMP packets to the sender

James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

More information about the Snort-users mailing list