[Oisf-users] Suricata inline in AF-packet mode, reject and drop rules don't send tcp reset
Eric Leblond
eric at regit.org
Tue Nov 10 23:17:30 UTC 2015
Hi,
On Tue, 2015-11-10 at 21:46 +0100, Victor Julien wrote:
> On 03-11-15 17:20, CCAI CCIE wrote:
> > I am running Suricata inline in AF-packet mode, reject and drop
> > rules
> > don't send tcp reset which result in slow browsing and client
> > hanging.
> > Does AF-packet mode support tcp reset?
>
> I think the reset needs an interface with a route to the ip that
> needs
> to receive the RST, but not sure. Never tested this scenario.
>
> Eric, you did some reset improvements sometime back, do you remember
> testing this scenario?
I remember I did that but i had to look at the code to really know how
it was working.
The setup is done via the host-mode variable. If set to "router" then
the reset packet is sent on the interface with a route to the IP. If
set to "sniffer-only" then we use the reception interface to send the
reset packet. "auto" setting tries to do its best using "router" if
mode is engine mode is IPS and "sniffer-only" if not.
In AF_PACKET IPS mode, I don't think "auto" will detect the IPS mode
so we should be in "sniffer-only" mode. I think this is the good choice
in AF_PACKET inline. This means that the reset packet will be sent on
the sniffing interface which is the best we can do in this case.
Probably only reject to src should really work but that should be ok
for the case described.
Maybe we could improve that limitation in AF_PACKET IPS mode by sending
dst reset to the destination interface.
++
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list