[Snort-users] Difference between drop and reject rules

Mark Greenman mark.greenman.014 at ...11827...
Thu Feb 12 09:35:06 EST 2015


Can I ask one more question? What is the difference between these two types
of configurations. As I get it, the configuration that you suggested must
not be used with inline mode while what I attempt to achieve is an inline
snort. Does it make any problems for inline operations and functions if I
deactivate Active Response?

Thank you very much

On Thu, Feb 12, 2015 at 4:08 PM, Mark Greenman <mark.greenman.014 at ...11827...>
wrote:

> Thanks. It now works as you said.
>
> On Thu, Feb 12, 2015 at 3:47 PM, Russ <rucombs at ...589...> wrote:
>
>>
>> On 2/12/15 2:33 AM, Mark Greenman wrote:
>>
>>  Thanks for your response and sorry that I'm answering a little late.
>>  You are right sir. But I think active responses are needed for "reject"
>> rules. Actually, based on the manual snort must sent TCP reset or ICMP
>> unreachable for reject rules and not for the drop rules. I think what I see
>> is that "drop" and "reject" work exactly the same.
>>
>> They are the same only because your config tells Snort to handle drops as
>> rejects.  This config allows drops and rejects to work "at face value":
>>
>> config response: attempts 1
>> #
>> preprocessor stream5_global: track_tcp yes, track_udp no
>> preprocessor stream5_tcp: policy linux
>> #
>> drop tcp any any -> any 80 ( sid:1; msg:"block only"; content:"foo"; )
>> reject tcp any any -> any 80 ( sid:2; msg:"block and reject";
>> content:"bar"; )
>>
>>
>>  Thanks again
>>
>> On Mon, Feb 9, 2015 at 4:24 PM, Russ <rucombs at ...589...> wrote:
>>
>>>  You have active responses enabled with the configuration below.  That
>>> causes Snort to send TCP resets or ICMP unreachables when a session is
>>> blocked.
>>>
>>> preprocessor stream5_global: track_tcp yes, \
>>> ...
>>>    max_active_responses 2, \
>>>    min_response_seconds 5
>>>
>>>
>>> On 2/8/15 5:22 AM, Mark Greenman wrote:
>>>
>>> The configuration file, the rules and a pcap file captured at the
>>> client side are attached to the email.
>>> Thanks
>>>
>>> On 2/7/15, Joel Esler (jesler) <jesler at ...589...> <jesler at ...589...> wrote:
>>>
>>>  Drop shouldn't send anything.  So if you are seeing this, we need your
>>> configuration, rules, and a pcap.
>>>
>>> --
>>> Joel Esler
>>> Sent from my iPhone
>>>
>>> On Feb 7, 2015, at 8:29 AM, Mark Greenman
>>> <mark.greenman.014 at ...11827...<mailto:mark.greenman.014 at ...11827...> <mark.greenman.014 at ...11827...>> wrote:
>>>
>>> Hi. Do you know why both drop and reject rules work exactly the same. The
>>> manual says that drop rules must not sent RST packets but they do? Does
>>> anyone know the reason?
>>>
>>> Thanks
>>> ------------------------------------------------------------------------------
>>> Dive into the World of Parallel Programming. The Go Parallel Website,
>>> sponsored by Intel and developed in partnership with Slashdot Media, is
>>> your
>>> hub for all things parallel software development, from weekly thought
>>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>>> look and join the conversation now. http://goparallel.sourceforge.net/
>>> _______________________________________________
>>> Snort-users mailing listSnort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net> <Snort-users at lists.sourceforge.net>
>>> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>> news!
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Dive into the World of Parallel Programming. The Go Parallel Website,
>>> sponsored by Intel and developed in partnership with Slashdot Media, is your
>>> hub for all things parallel software development, from weekly thought
>>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>>> look and join the conversation now. http://goparallel.sourceforge.net/
>>>
>>>
>>>
>>> _______________________________________________
>>> Snort-users mailing listSnort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150212/e2367a35/attachment.html>


More information about the Snort-users mailing list