[Oisf-users] about tcp rst request for using port mirror mode

[Ayhan ARDA]

Hello,

I hope I'm writing it in the right place..

I have a security onion server and I have 2 interfaces.
The first is for management. The second is to sniff.
I mirrored the uplink port of the switch for sniff interface. (no inline
traffic, only port mirror)
Everything works so well.(kibana,squert vs..)
I'm using the Suricata engine for alerting.
There are a few things I'm curious about.
I can see all the events.
I can reject some rules but not all of them. I tested this, for example
when I reject off some rdp traffic and and my access is cut off. This is a
good thing.
I only do this by typing reject at the beginning of the rule.
*I wonder how did this rejection process? Because I only have one interface
for sniff. *Why doesn't this method work in some rules?
Is this interface sending a tcp reset request to my Switch?
Why are some rejection rules working and others not?
Do I need a third interface for tcp rst packet to switch?

Regards
Ayhan ARDA

--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191001/ff0692c2/attachment.html>