Project

General

Profile

Actions

Documentation #5724

open

Why does reject-dev option work only in Sniff Mode

Added by Michał Podleś about 2 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Dear Team,

I would like to ask why is there a requirement for Suricata to be in IDS mode for --reject-dev option to take effect.
From GetCtx(const Packet *p, int injection_type) in suricata/src/respond-reject-libnet11.c :

 if (IS_SURI_HOST_MODE_SNIFFER_ONLY(host_mode)) {
        if (g_reject_dev != NULL) {
            if (p->datalink == LINKTYPE_ETHERNET)
                injection_type = t_inject_mode = LIBNET_LINK;
            devname = g_reject_dev;
            store_ctx = true;
        } else {
            devname = p->livedev ? p->livedev->dev : NULL;
        }
    }

Secondly, is it discouraged to use one of IPS interfaces to be the output interface of reject traffic? I've compiled Suricata with the HOST_MODE_SNIFFER check removed and have been able to receive reject coming from the chosen interface, which has also been used for IPS. It didn't work in some cases but this might be due to the wrong configuration of rules and/or test traffic sent.
Thanks in advance for responses.

Best regards,
Michał Podleś

No data to display

Actions

Also available in: Atom PDF