[Snort-users] Proffesional Opinions ---wanted

Erek Adams erek at ...577...
Wed Sep 4 14:52:04 EDT 2002

On Wed, 4 Sep 2002, Tim wrote:

> Just wanted to get some opinions from people with experience with FLEXRESP.
> I have been toiling with the idea of jumping in and configuring snort with
> this option in order to manage some of the attacks.

IMHO, not-so-useful.  It works, but due to the way tcp/ip works, it's not that
much use on low-latency links.  If you have high latency, then it might work
for you.

> I did re-compile snort with the flexresp option this time, ( curiosity got
> the better of me ). I made sure to install libnet before I did so. Which
> went fine...no errors. But I'm not sure if after running ./configure
> --enable-flexresp if I was supposed to run make and make install again. Any
> comments or insights to the installation process?

./configure --enable-flexresp && make && make install

Each time you change the compile time options, you _have_ to recompile snort.

> What do you all think....is flexresp worth the effort? What are the pros and
> cons to this little utility? Your opinions are appreciated....TIA

*sigh*  I can see you're trying to stir up trouble!  ;-)  Flexresp is 'useful'
in ways, but not in others.  IMHO, a NIDS should _never_ block or reset
connections.  That's the job of the firewall.  Now, that's my _opinion_.  A
lot of folks use Flexresp with good results and are happy with it.  I don't
use it, but that doesn't mean it isn't useful.

Try using it.  Define a rule top reset any connections to a web site and then
try to browse it.  If it dies, then you should be good to go.


Erek Adams

More information about the Snort-users mailing list