[Snort-users] Newbie questions, Snort on NT, stealth mode vs react/flexresp

Dave Thornburgh dave_thornburgh at ...125...
Wed Oct 9 13:12:04 EDT 2002

John -

Thanks for the file.  In the extracted folder I've got (the NT version),
there is absolutely NO documentation.

Everyone else:

While John did get me the M to RTF, it is extremely sparse, and doesn't
begin to address the interaction of flexresp with stealth sniffing.  Is
anybody out there using it yet?  Or, from another angle, does anybody know
if it's possible to transmit packets from an interface that has no IP
address assigned?


----- Original Message -----
From: "Hicks, John"
To: "'Dave Thornburgh'"
Sent: Wednesday, October 09, 2002 12:16 PM
Subject: RE: [Snort-users] Newbie questions, Snort on NT, stealth mode vs

> README.FLEXRESP should be in the rot of the extracted snort folder. I have
> included it for you just in case :) I haven't used in for real yet, so i
> can't help you there :(
> I even converted the file from Unix to DOS for you.
> hth,
> John
> -----Original Message-----
> From: Dave Thornburgh [mailto:dave_thornburgh at ...125...]
> Sent: Wednesday, October 09, 2002 2:33 PM
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] Newbie questions, Snort on NT, stealth mode vs
> react/flexresp
> Hello all.
> I'm in the investigation/learning phase.  Soon I'll be implementing a
> firewalled internet connection for my company, email server in the DMZ,
> Snort sensors at a couple of key spots - the whole kit & caboodle.  I
> I'm getting a pretty good grasp of Snort basics, or at least as much as I
> can without actually building the boxes & putting them through their
> I'm planning on running Snort on NT, until I get the firewall stuff under
> control and dive back into *nix.
> I am a little confused about the "react" option and the flexresp module,
> especially as it relates to running Snort on a stealthed interface.  If
> there is no stack running for the interface, can flexresp still transmit
> reset packets?  Although I'm far from being an expert, that just didn't
> possible to me.  Or, if I want to use stealth, do I need to give up on
> react?
> Also, I tried searching the mailing list archives for similar questions,
> saw a couple of responses along the lines of "read the flexresp README and
> all will be clear".  My problem is, I searched www.snort.org a couple of
> times, and cannot find a README for flexresp.  Does anybody know if this
> would be found elsewhere on the net?
> Thanks,
> Dave
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list