Support #1368
closedReject rules when out of band
Description
I'm trying to use the reject action to send reset packets when using Suricata out of band using a span port. Running suricata 2.0.5.
For my testing, I'm using an IP address for an internet webserver. When I create the reject rule, I am seeing the suricata alert. Using packet capture, I am seeing a few reset packets coming to my computer and the website does struggle to load but it eventually does load. When suricata is not running, the website loads instantly and I do not see reset packets.
Do you have any suggestions fully preventing the connection while out of band? I would really like to avoid going inline. Using drop packets would work better although not an option because the server is out of band.
Thanks!
Updated by Brian Hennigar over 9 years ago
Extra info. Here is the very basic rule that I'm testing with.
reject ip [IP Address] any -> any any (msg:"My message"; nocase; classtype:policy-violation; sid:888881; rev:1;)
Updated by Andreas Herz about 8 years ago
Is this still an issue or could anyone already reproduce the request?
Updated by Victor Julien almost 8 years ago
- Status changed from New to Closed
Resets are going to be best effort by their nature. Ticket #960 might be able to help. But going inline is better even if that has it's own set of risks and challenges.