Active Responses in Intrusion Drop Rules

A drop rule is an intrusion or preprocessor rule whose rule state is set to Drop and Generate Events. In an inline deployment, the system responds to TCP or UDP drop rules by dropping the triggering packet and blocking the session where the packet originated.

Tip	Because UDP data streams are not typically thought of in terms of sessions, the stream preprocessor uses the source and destination IP address fields in the encapsulating IP datagram header and the port fields in the UDP header to determine the direction of flow and identify a UDP session.

You can configure the system to initiate one or more active responses to more precisely and specifically close a TCP connection or UDP session when an offending packet triggers a TCP or UDP drop rule. You can use active responses in inline, including routed and transparent, deployments. Active responses are not suited or supported for passive deployments.

To configure active responses:

Create or modify a TCP or UDP (resp keyword only) intrusion rule. See Intrusion Rule Header Protocol.
Add the react or resp keyword to the intrusion rule; see xActive Response Keywords.
Optionally, for a TCP connection, specify the maximum number of additional active responses to send and the number of seconds to wait between active responses; see Maximum Active Responses and Minimum Response Seconds in Advanced Transport/Network Preprocessor Options.

Active responses close the session when matching traffic triggers a drop rule, as follows:

TCP—drops the triggering packet and inserts a TCP Reset (RST) packet in both the client and server traffic.
UDP—sends an ICMP unreachable packet to each end of the session.