[Snort-users] Difference between drop and reject rules

Mark Greenman mark.greenman.014 at ...11827...
Thu Feb 12 02:33:28 EST 2015


Thanks for your response and sorry that I'm answering a little late.
You are right sir. But I think active responses are needed for "reject"
rules. Actually, based on the manual snort must sent TCP reset or ICMP
unreachable for reject rules and not for the drop rules. I think what I see
is that "drop" and "reject" work exactly the same.
Thanks again

On Mon, Feb 9, 2015 at 4:24 PM, Russ <rucombs at ...589...> wrote:

>  You have active responses enabled with the configuration below.  That
> causes Snort to send TCP resets or ICMP unreachables when a session is
> blocked.
>
> preprocessor stream5_global: track_tcp yes, \
> ...
>    max_active_responses 2, \
>    min_response_seconds 5
>
>
> On 2/8/15 5:22 AM, Mark Greenman wrote:
>
> The configuration file, the rules and a pcap file captured at the
> client side are attached to the email.
> Thanks
>
> On 2/7/15, Joel Esler (jesler) <jesler at ...589...> <jesler at ...589...> wrote:
>
>  Drop shouldn't send anything.  So if you are seeing this, we need your
> configuration, rules, and a pcap.
>
> --
> Joel Esler
> Sent from my iPhone
>
> On Feb 7, 2015, at 8:29 AM, Mark Greenman
> <mark.greenman.014 at ...11827...<mailto:mark.greenman.014 at ...11827...> <mark.greenman.014 at ...11827...>> wrote:
>
> Hi. Do you know why both drop and reject rules work exactly the same. The
> manual says that drop rules must not sent RST packets but they do? Does
> anyone know the reason?
>
> Thanks
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing listSnort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net> <Snort-users at lists.sourceforge.net>
> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> Snort-users mailing listSnort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150212/348cc9da/attachment.html>


More information about the Snort-users mailing list