[Oisf-users] Out of Band reject actions

Brian Hennigar bhennigar at gmail.com
Tue Jan 20 23:35:47 UTC 2015

I'm trying to use the reject action to send reset packets when using
Suricata out of band using a span port to monitor traffic. Running suricata

For my testing, I'm using an IP address for an internet webserver. When I
create the reject rule, I am seeing the suricata alert. Using packet
capture, I am seeing a few reset packets coming to my computer and the
website does struggle to load but it eventually does load. When suricata is
not running, the website loads instantly and I do not see reset packets.

Do you have any suggestions fully preventing the connection while out of
band? I would really like to avoid going inline. Using drop packets would
work better although not an option because the server is out of band.

Here is the very basic rule that I'm testing with.

reject ip [IP Address] any -> any any (msg:"My message"; nocase;
classtype:policy-violation; sid:888881; rev:1;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150120/beb79a2d/attachment.html>

More information about the Oisf-users mailing list