[Oisf-users] about tcp rst request for using port mirror mode

Amar amar at countersnipe.com
Tue Oct 1 09:59:19 UTC 2019


      
  

 Hello Ayhan
  

  
If you don’t mind me asking; what are you trying to acheive in real terms?
  
Eg.
  
If you NEED to stop certain traffic, ( eg rdp) from entering your network, why not place the system in line. You will need three interfaces....unless you want the management port to double as in/out too.
  

  
Reject is a rather raw way to Prevent (ips) as you could end up flooding your network with reset requests.   
  

  
In terms of your specific question I would guess that while the system is busy sending resets it is missing some of the other traffic!    May be completely wrong here though!
  

  
Anyway if you want Prevention just stick it in line with the world and the switch.
  

  
Best
  
Amar Rathore
  
www.countersnipe.com
  

  

  
  

  
  
>   
> On Oct 1, 2019 at 3:13 PM,  <Ayhan ARDA (mailto:ayhanardaistanbul at gmail.com)>  wrote:
>   
>   
>   
> Hello,  
>
>   
> I hope I'm writing it in the right place..
>   
>
>   
> I have a security onion server and I have 2 interfaces.
>  The first is for management. The second is to sniff.
>  I mirrored the uplink port of the switch for sniff interface. (no inline traffic, only port mirror)
>  Everything works so well.(kibana,squert vs..)
>  I'm using the Suricata engine for alerting.
>  There are a few things I'm curious about.
>  I can see all the events.
>  I can reject some rules but not all of them. I tested this, for example when I reject off some rdp traffic and and my access is cut off. This is a good thing.
>  I only do this by typing reject at the beginning of the rule.
>   I wonder how did this rejection process? Because I only have one interface for sniff.   Why doesn't this method work in some rules?
>  Is this interface sending a tcp reset request to my Switch?
>  Why are some rejection rules working and others not?
>  Do I need a third interface for tcp rst packet to switch?   
>   
>  Regards
>  Ayhan ARDA
>   
>
>  --
>   
>   
>
>   
>
>   
>   
>   
>   
>   
>   
  
  
     
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191001/50cd33e4/attachment.html>


More information about the Oisf-users mailing list