[Oisf-users] reject-rules don't drop packages
Victor Julien
victor at inliniac.net
Tue Jan 10 15:31:43 UTC 2012
On 01/10/2012 12:47 PM, Thorsten Wagener - Travanto Travel wrote:
> Well, thats true. the rule fires, but the package is not dropped.
I've looked into this and I can confirm it. I'll be fixing it for
tomorrow's 1.2rc1 release.
As it's a missing feature more than a bug, it will only be addressed in
the upcoming 1.2 branch.
Cheers,
Victor
> Am 10.01.2012 um 12:26 schrieb Victor Julien <victor at inliniac.net>:
>
>> On 01/10/2012 12:22 PM, Thorsten Wagener - Travanto Travel wrote:
>>> hi,
>>>
>>> i haven't seen this bug-report. But that seems to be my problem. Ok, so i have to use af-packet or pfring.
>>
>> That would surprise me. You indicated the rst is sent, so the rule
>> fires. The issue Peter is referring to would cause the rule not to fire.
>>
>> Cheers,
>> Victor
>>
>>> Thanks for the quick reply
>>>
>>> Am 10.01.2012 um 11:16 schrieb Peter Manev <petermanev at gmail.com>:
>>>
>>>> Hi,
>>>> There is a bug related to inline option set to yes when reading a pcap - that is still not closed.
>>>> I can't confirm for sure if that could be related to your set u or not.
>>>> I will try to reproduce it and get some feedback - see if i get the same result........
>>>>
>>>> thanks
>>>>
>>>> On Tue, Jan 10, 2012 at 10:56 AM, Thorsten Wagener - Travanto Travel <twagener at travanto.de> wrote:
>>>> Hi,
>>>>
>>>> my suricata Version 1.1.1 does not drop packages from reject rules.
>>>>
>>>> I know that there was a Bug, which was fixed in v1.1beta2 but it is still there. Can anyone confirm this Problem?
>>>>
>>>> Drop-rule works and bad traffic is dropped. with reject the traffic is not dropped, but a tcp/rst package is sent. Sometimes the rst-package is incoming before the answer and the connection is cancled, but the bad traffic is still not dropped.
>>>>
>>>> stream inline is set to yes.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list