<div>Hi, In suricata <font color="#ff0000">1.3.5</font>   util-action.c</div><div>It's a bug writing 'ACTION_REJECT_BOTH' twice. But it seems have fixed in 1.4.</div><div>I think this is the case he mentioned.</div>
<div><br></div><div><br></div><div>uint8_t ActionOrderVal(uint8_t action) {</div><div>    /* reject_both and reject_dst have the same prio as reject */</div><div>    if( action & ACTION_REJECT ||</div><div>        action & ACTION_REJECT_BOTH ||</div>
<div>        <font color="#ff0000">action & ACTION_REJECT_BOTH</font>) {</div><div>        action = ACTION_REJECT;</div><div>    }</div><div>    uint8_t i = 0;</div><div>    for (; i < 4; i++) {</div><div>        if (action_order_sigs[i] == action)</div>
<div>            return i;</div><div>    }</div><div>    /* Unknown action, set just a low prio (high val) */</div><div>    return 10;</div><div>}</div><div><br></div><br><div class="gmail_quote">On Fri, Jan 11, 2013 at 6:09 PM, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 12/29/2012 03:05 AM, 郑博文 wrote:<br>
> Hello:<br>
>     I am reading suricata codes recently, I think the fisrt<br>
> "ACTION_REJECT_BOTH" should change to "ACTION_REJECT_DST" in<br>
> util-action.c file ActionOrderVal function line 56.<br>
<br>
</div></div>This is the code:<br>
<br>
    if( (action & ACTION_REJECT) ||<br>
        (action & ACTION_REJECT_BOTH) ||<br>
        (action & ACTION_REJECT_DST)) {<br>
        action = ACTION_REJECT;<br>
    }<br>
<br>
How do you think it should be different? If ACTION_REJECT_BOTH would be<br>
changed to ACTION_REJECT_DST the latter would appear twice.<br>
<br>
Cheers,<br>
Victor<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a></font></span></blockquote></div><br>