Documentation #5724
closedWhy does reject-dev option work only in Sniff Mode
Description
Dear Team,
I would like to ask why is there a requirement for Suricata to be in IDS mode for --reject-dev option to take effect.
From GetCtx(const Packet *p, int injection_type) in suricata/src/respond-reject-libnet11.c :
if (IS_SURI_HOST_MODE_SNIFFER_ONLY(host_mode)) {
if (g_reject_dev != NULL) {
if (p->datalink == LINKTYPE_ETHERNET)
injection_type = t_inject_mode = LIBNET_LINK;
devname = g_reject_dev;
store_ctx = true;
} else {
devname = p->livedev ? p->livedev->dev : NULL;
}
}
Secondly, is it discouraged to use one of IPS interfaces to be the output interface of reject traffic? I've compiled Suricata with the HOST_MODE_SNIFFER check removed and have been able to receive reject coming from the chosen interface, which has also been used for IPS. It didn't work in some cases but this might be due to the wrong configuration of rules and/or test traffic sent.
Thanks in advance for responses.
Best regards,
Michał Podleś
Updated by Philippe Antoine about 1 month ago
- Status changed from In Progress to New
Updated by Juliana Fajardini Reichow about 1 month ago
- Status changed from New to Rejected
Hello, I'm rejecting this ticket, as this tracker is for bug reports, feature requests, and tracking community and team coding-related tasks.
For asking support questions, please use our forum: https://forum.suricata.io/ questions posted there get way more visibility
and thus have a greater chance of getting timely answers. ;)