Support #1368
closedReject rules when out of band
Description
I'm trying to use the reject action to send reset packets when using Suricata out of band using a span port. Running suricata 2.0.5.
For my testing, I'm using an IP address for an internet webserver. When I create the reject rule, I am seeing the suricata alert. Using packet capture, I am seeing a few reset packets coming to my computer and the website does struggle to load but it eventually does load. When suricata is not running, the website loads instantly and I do not see reset packets.
Do you have any suggestions fully preventing the connection while out of band? I would really like to avoid going inline. Using drop packets would work better although not an option because the server is out of band.
Thanks!
Updated by Brian Hennigar almost 10 years ago
Extra info. Here is the very basic rule that I'm testing with.
reject ip [IP Address] any -> any any (msg:"My message"; nocase; classtype:policy-violation; sid:888881; rev:1;)
Updated by Andreas Herz almost 9 years ago
Is this still an issue or could anyone already reproduce the request?
Updated by Victor Julien over 8 years ago
- Status changed from New to Closed
Resets are going to be best effort by their nature. Ticket #960 might be able to help. But going inline is better even if that has it's own set of risks and challenges.