[Snort-users] reject is identical to drop

Russ Combs rcombs at ...1935...
Thu Jul 7 10:38:51 EDT 2011


On Thu, Jul 7, 2011 at 4:02 AM, Kevin Ross <kevross33 at ...14012...> wrote:

> >From the manual:
>
> 6. drop - block and log the packet
> 7. reject - block the packet, log it, and then send a TCP reset if the
> protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
>
> The sending station should receive back a RST packet.
>
> On 7 July 2011 01:24, HN Nguyen <nhncontact at ...11827...> wrote:
>
>> I'm using snort (v2.9.0.5) inline with iptables. I have a rule with
>> "reject" action, but when it triggers, no packet is sent back to the sender
>> (tcpdump on all interfaces confirm this).
>>
>> The rule is:
>> reject tcp any any -> any 7
>>
>> The log shows:
>> 07/07-00:15:19.553113  [Drop][Priority: 0] {TCP} 192.168.41.122:38805 ->
>> 192.168.1.57:7
>>
>> This is identical to the behaviour when I change the action to "drop".
>>
>> Is there anything I'm missing or doing wrong?
>>
>
Which DAQ are you using?

Do you get any relevant warnings at start up?

Did you review README.active?

>
>> Thanks.
>>
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see http://www.snort.org/docs for documentation
>>
>
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110707/3730b680/attachment.html>


More information about the Snort-users mailing list