[Snort-users] Difference between drop and reject rules

Mark Greenman mark.greenman.014 at ...11827...
Thu Feb 12 07:38:41 EST 2015


Thanks. It now works as you said.

On Thu, Feb 12, 2015 at 3:47 PM, Russ <rucombs at ...589...> wrote:

>
> On 2/12/15 2:33 AM, Mark Greenman wrote:
>
>  Thanks for your response and sorry that I'm answering a little late.
>  You are right sir. But I think active responses are needed for "reject"
> rules. Actually, based on the manual snort must sent TCP reset or ICMP
> unreachable for reject rules and not for the drop rules. I think what I see
> is that "drop" and "reject" work exactly the same.
>
> They are the same only because your config tells Snort to handle drops as
> rejects.  This config allows drops and rejects to work "at face value":
>
> config response: attempts 1
> #
> preprocessor stream5_global: track_tcp yes, track_udp no
> preprocessor stream5_tcp: policy linux
> #
> drop tcp any any -> any 80 ( sid:1; msg:"block only"; content:"foo"; )
> reject tcp any any -> any 80 ( sid:2; msg:"block and reject";
> content:"bar"; )
>
>
>  Thanks again
>
> On Mon, Feb 9, 2015 at 4:24 PM, Russ <rucombs at ...589...> wrote:
>
>>  You have active responses enabled with the configuration below.  That
>> causes Snort to send TCP resets or ICMP unreachables when a session is
>> blocked.
>>
>> preprocessor stream5_global: track_tcp yes, \
>> ...
>>    max_active_responses 2, \
>>    min_response_seconds 5
>>
>>
>> On 2/8/15 5:22 AM, Mark Greenman wrote:
>>
>> The configuration file, the rules and a pcap file captured at the
>> client side are attached to the email.
>> Thanks
>>
>> On 2/7/15, Joel Esler (jesler) <jesler at ...589...> <jesler at ...589...> wrote:
>>
>>  Drop shouldn't send anything.  So if you are seeing this, we need your
>> configuration, rules, and a pcap.
>>
>> --
>> Joel Esler
>> Sent from my iPhone
>>
>> On Feb 7, 2015, at 8:29 AM, Mark Greenman
>> <mark.greenman.014 at ...11827...<mailto:mark.greenman.014 at ...11827...> <mark.greenman.014 at ...11827...>> wrote:
>>
>> Hi. Do you know why both drop and reject rules work exactly the same. The
>> manual says that drop rules must not sent RST packets but they do? Does
>> anyone know the reason?
>>
>> Thanks
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-users mailing listSnort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net> <Snort-users at lists.sourceforge.net>
>> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net/
>>
>>
>>
>> _______________________________________________
>> Snort-users mailing listSnort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150212/f7ba054e/attachment.html>


More information about the Snort-users mailing list