In rules configuration of snort I have:
alert tcp any any -> any any (msg:"HTTP Connection"; react:block;)
However when I add:
alert icmp any any -> any any (msg:"HTTP Connection"; react:block;)
it gives me a error that react is not allowed for ICMP.
Is there any other way to enable this?
How can I block packets in snort?
Snort does not block packets. Snort is an intrusion detection and prevention system.
The React rule option is intended to be used with TCP connections. The react keyword, when it matches, will generate multiple reset packets to both end of the connection to shoot it down.
Since ICMP is a datagram protocol that operates at the network level, there is no way to "shoot it down." If you'd like to block these you really need to use a firewall. :)
