[Snort-users] Difference between drop and reject rules

Russ rucombs at ...589...
Mon Feb 9 07:54:51 EST 2015


You have active responses enabled with the configuration below. That 
causes Snort to send TCP resets or ICMP unreachables when a session is 
blocked.

preprocessor stream5_global: track_tcp yes, \
...
    max_active_responses 2, \
    min_response_seconds 5

On 2/8/15 5:22 AM, Mark Greenman wrote:
> The configuration file, the rules and a pcap file captured at the
> client side are attached to the email.
> Thanks
>
> On 2/7/15, Joel Esler (jesler) <jesler at ...589...> wrote:
>> Drop shouldn't send anything.  So if you are seeing this, we need your
>> configuration, rules, and a pcap.
>>
>> --
>> Joel Esler
>> Sent from my iPhone
>>
>> On Feb 7, 2015, at 8:29 AM, Mark Greenman
>> <mark.greenman.014 at ...11827...<mailto:mark.greenman.014 at ...11827...>> wrote:
>>
>> Hi. Do you know why both drop and reject rules work exactly the same. The
>> manual says that drop rules must not sent RST packets but they do? Does
>> anyone know the reason?
>>
>> Thanks
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net/
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150209/2552e7d9/attachment.html>


More information about the Snort-users mailing list