[Snort-users] disabling sniping

Al Lewis (allewi) allewi at cisco.com
Fri May 3 09:45:36 EDT 2019


Reject should send the reset/icmp unreachable. Drop shouldn’t.

08:51:53.939581 IP 10.5.32.125.143 > 10.4.15.120.46590: Flags [R.], seq 9779, ack 311, win 0, length 0
08:51:53.939581 IP 10.4.15.120.46590 > 10.5.32.125.143: Flags [R.], seq 311, ack 9779, win 0, length 0

With the reject keyword I see the resets above. With drop there is nothing in the capture.

Use “--daq dump” to see the traffic. A filed named “inline-out.pcap” should be generated.


From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of "Graham Bartlett (grbartle) via Snort-users" <snort-users at lists.snort.org>
Reply-To: "Graham Bartlett (grbartle)" <grbartle at cisco.com>
Date: Friday, May 3, 2019 at 9:27 AM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [Snort-users] disabling sniping

Hi

I have setup snort in inline mode.

It’s working as planned, but I would like the snort to silently discard dropped traffic, rather than sending an ICMP unreachable.

Is there a method to do this ?

I looked at sniping and setting the reply number to 0, but this didn’t seem possible.

<att> ::= (1..20)

Many thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190503/abc0b163/attachment.html>


More information about the Snort-users mailing list