[Snort-users] Proffesional Opinions ---wanted
erek at ...577...
Wed Sep 4 14:52:04 EDT 2002
On Wed, 4 Sep 2002, Tim wrote:
> Just wanted to get some opinions from people with experience with FLEXRESP.
> I have been toiling with the idea of jumping in and configuring snort with
> this option in order to manage some of the attacks.
IMHO, not-so-useful. It works, but due to the way tcp/ip works, it's not that
much use on low-latency links. If you have high latency, then it might work
> I did re-compile snort with the flexresp option this time, ( curiosity got
> the better of me ). I made sure to install libnet before I did so. Which
> went fine...no errors. But I'm not sure if after running ./configure
> --enable-flexresp if I was supposed to run make and make install again. Any
> comments or insights to the installation process?
./configure --enable-flexresp && make && make install
Each time you change the compile time options, you _have_ to recompile snort.
> What do you all think....is flexresp worth the effort? What are the pros and
> cons to this little utility? Your opinions are appreciated....TIA
*sigh* I can see you're trying to stir up trouble! ;-) Flexresp is 'useful'
in ways, but not in others. IMHO, a NIDS should _never_ block or reset
connections. That's the job of the firewall. Now, that's my _opinion_. A
lot of folks use Flexresp with good results and are happy with it. I don't
use it, but that doesn't mean it isn't useful.
Try using it. Define a rule top reset any connections to a web site and then
try to browse it. If it dies, then you should be good to go.
More information about the Snort-users