[Snort-users] why old libnet?

Will Metcalf william.metcalf at ...11827...
Mon Mar 28 13:10:44 EST 2005


> Yeah, I was looking at the code and you are correct. I guess I
> (incorrectly) assumed it somehow used the netfilter reject target to
> generate the packets. Instead snort generates them itself

The reason for this is that libipq can only set a verdict of NF_DROP,
NF_CONTINUE, or NF_REPEAT, and if I remember correctly the reject
stuff  lives in iptables not in netfilter.

 > >Probably because it has support for using reject as well as drop, alert
> >and log.  The reject keyword allows you to reset the connection rather
> >than just drop it.

Until they upgrade the flexresp code to libnet 1.1.x I'm not going to
rewrite the code for the reject stuff.  I'm not going to be
responsible for adding another dep to snort.


Regards,

Will




More information about the Snort-users mailing list