Re: [Snort-inline-users] drop rules

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Nate,

On Monday 02 August 2004 18:41, Nathaniel Haggard wrote:
> When snort-inline gets a packet that matches a drop rule does it drop
> that packet or does the whole TCP connection drop for a certain amount
> of time.

As far as i know, only the packet. If the dropped packet is a tcp packet with 
the syn flag set (for setting up a connection) the connection will not be 
established.

>
> While trying snort-inline with irssi I noticed that I would appear to
> stay connected while the lag went up to 255+ and then I would rejoin
> all the channels I used to be in.
>
> Where is the code that does this? 

Inside Snort_inline. Snort_inline uses the QUEUE target which allows iptables 
to send packets to user-space programs.

> >What new rules does snort-inline add 
> to iptables? iptables -L -n showed no new rules.

It doesn't add rules. By using an iptables rule with the QUEUE target iptables 
sends the packet to Snort_inline. When Snort_inline thinks the packet should 
be dropped, it will notify iptables of this so iptables will then drop the 
packet.

If you want to drop a connection i suggest you try reject instead of drop.

Hope this helps,

Regards,
Victor

>
> Nate
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users