Project

General

Profile

Actions

Documentation #5724

closed

Why does reject-dev option work only in Sniff Mode

Added by Michał Podleś almost 2 years ago. Updated about 1 month ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Dear Team,

I would like to ask why is there a requirement for Suricata to be in IDS mode for --reject-dev option to take effect.
From GetCtx(const Packet *p, int injection_type) in suricata/src/respond-reject-libnet11.c :

 if (IS_SURI_HOST_MODE_SNIFFER_ONLY(host_mode)) {
        if (g_reject_dev != NULL) {
            if (p->datalink == LINKTYPE_ETHERNET)
                injection_type = t_inject_mode = LIBNET_LINK;
            devname = g_reject_dev;
            store_ctx = true;
        } else {
            devname = p->livedev ? p->livedev->dev : NULL;
        }
    }

Secondly, is it discouraged to use one of IPS interfaces to be the output interface of reject traffic? I've compiled Suricata with the HOST_MODE_SNIFFER check removed and have been able to receive reject coming from the chosen interface, which has also been used for IPS. It didn't work in some cases but this might be due to the wrong configuration of rules and/or test traffic sent.
Thanks in advance for responses.

Best regards,
Michał Podleś

Actions #1

Updated by Philippe Antoine about 1 month ago

  • Status changed from In Progress to New
Actions #2

Updated by Juliana Fajardini Reichow about 1 month ago

  • Status changed from New to Rejected

Hello, I'm rejecting this ticket, as this tracker is for bug reports, feature requests, and tracking community and team coding-related tasks.

For asking support questions, please use our forum: https://forum.suricata.io/ questions posted there get way more visibility
and thus have a greater chance of getting timely answers. ;)

Actions

Also available in: Atom PDF