Documentation #5724: Why does reject-dev option work only in Sniff Mode - Suricata - Open Information Security Foundation

Actions

Copy link

Documentation #5724

open

Why does reject-dev option work only in Sniff Mode

Added by Michał Podleś over 1 year ago.

Status:

In Progress

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

Effort:

Difficulty:

Label:

Description

Dear Team,

I would like to ask why is there a requirement for Suricata to be in IDS mode for --reject-dev option to take effect.
From GetCtx(const Packet *p, int injection_type) in suricata/src/respond-reject-libnet11.c :

 if (IS_SURI_HOST_MODE_SNIFFER_ONLY(host_mode)) {
        if (g_reject_dev != NULL) {
            if (p->datalink == LINKTYPE_ETHERNET)
                injection_type = t_inject_mode = LIBNET_LINK;
            devname = g_reject_dev;
            store_ctx = true;
        } else {
            devname = p->livedev ? p->livedev->dev : NULL;
        }
    }

Secondly, is it discouraged to use one of IPS interfaces to be the output interface of reject traffic? I've compiled Suricata with the HOST_MODE_SNIFFER check removed and have been able to receive reject coming from the chosen interface, which has also been used for IPS. It didn't work in some cases but this might be due to the wrong configuration of rules and/or test traffic sent.
Thanks in advance for responses.

Best regards,
Michał Podleś

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Documentation #5724

Why does reject-dev option work only in Sniff Mode