[Snort-users] Newbie questions, Snort on NT, stealth mode vs react/flexresp

Dave Thornburgh dave_thornburgh at ...125...
Wed Oct 9 11:22:04 EDT 2002

Hello all.

I'm in the investigation/learning phase.  Soon I'll be implementing a
firewalled internet connection for my company, email server in the DMZ,
Snort sensors at a couple of key spots - the whole kit & caboodle.  I think
I'm getting a pretty good grasp of Snort basics, or at least as much as I
can without actually building the boxes & putting them through their paces.
I'm planning on running Snort on NT, until I get the firewall stuff under
control and dive back into *nix.

I am a little confused about the "react" option and the flexresp module,
especially as it relates to running Snort on a stealthed interface.  If
there is no stack running for the interface, can flexresp still transmit the
reset packets?  Although I'm far from being an expert, that just didn't seem
possible to me.  Or, if I want to use stealth, do I need to give up on using

Also, I tried searching the mailing list archives for similar questions, and
saw a couple of responses along the lines of "read the flexresp README and
all will be clear".  My problem is, I searched www.snort.org a couple of
times, and cannot find a README for flexresp.  Does anybody know if this
would be found elsewhere on the net?



More information about the Snort-users mailing list