[Snort-users] disabling sniping

Al Lewis (allewi) allewi at cisco.com
Fri May 3 09:45:36 EDT 2019

Reject should send the reset/icmp unreachable. Drop shouldn’t.

08:51:53.939581 IP > Flags [R.], seq 9779, ack 311, win 0, length 0
08:51:53.939581 IP > Flags [R.], seq 311, ack 9779, win 0, length 0

With the reject keyword I see the resets above. With drop there is nothing in the capture.

Use “--daq dump” to see the traffic. A filed named “inline-out.pcap” should be generated.

From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of "Graham Bartlett (grbartle) via Snort-users" <snort-users at lists.snort.org>
Reply-To: "Graham Bartlett (grbartle)" <grbartle at cisco.com>
Date: Friday, May 3, 2019 at 9:27 AM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [Snort-users] disabling sniping


I have setup snort in inline mode.

It’s working as planned, but I would like the snort to silently discard dropped traffic, rather than sending an ICMP unreachable.

Is there a method to do this ?

I looked at sniping and setting the reply number to 0, but this didn’t seem possible.

<att> ::= (1..20)

Many thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190503/abc0b163/attachment.html>

More information about the Snort-users mailing list