[Oisf-users] reject-rules don't drop packages
Victor Julien
victor at inliniac.net
Tue Jan 10 16:33:22 UTC 2012
Should be fixed in the current git master.
On 01/10/2012 04:31 PM, Victor Julien wrote:
> On 01/10/2012 12:47 PM, Thorsten Wagener - Travanto Travel wrote:
>> Well, thats true. the rule fires, but the package is not dropped.
>
> I've looked into this and I can confirm it. I'll be fixing it for
> tomorrow's 1.2rc1 release.
>
> As it's a missing feature more than a bug, it will only be addressed in
> the upcoming 1.2 branch.
>
> Cheers,
> Victor
>
>> Am 10.01.2012 um 12:26 schrieb Victor Julien <victor at inliniac.net>:
>>
>>> On 01/10/2012 12:22 PM, Thorsten Wagener - Travanto Travel wrote:
>>>> hi,
>>>>
>>>> i haven't seen this bug-report. But that seems to be my problem. Ok, so i have to use af-packet or pfring.
>>>
>>> That would surprise me. You indicated the rst is sent, so the rule
>>> fires. The issue Peter is referring to would cause the rule not to fire.
>>>
>>> Cheers,
>>> Victor
>>>
>>>> Thanks for the quick reply
>>>>
>>>> Am 10.01.2012 um 11:16 schrieb Peter Manev <petermanev at gmail.com>:
>>>>
>>>>> Hi,
>>>>> There is a bug related to inline option set to yes when reading a pcap - that is still not closed.
>>>>> I can't confirm for sure if that could be related to your set u or not.
>>>>> I will try to reproduce it and get some feedback - see if i get the same result........
>>>>>
>>>>> thanks
>>>>>
>>>>> On Tue, Jan 10, 2012 at 10:56 AM, Thorsten Wagener - Travanto Travel <twagener at travanto.de> wrote:
>>>>> Hi,
>>>>>
>>>>> my suricata Version 1.1.1 does not drop packages from reject rules.
>>>>>
>>>>> I know that there was a Bug, which was fixed in v1.1beta2 but it is still there. Can anyone confirm this Problem?
>>>>>
>>>>> Drop-rule works and bad traffic is dropped. with reject the traffic is not dropped, but a tcp/rst package is sent. Sometimes the rst-package is incoming before the answer and the connection is cancled, but the bad traffic is still not dropped.
>>>>>
>>>>> stream inline is set to yes.
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list