[Snort-users] Documentation suggestions regarding the unreliability flexresp.

Matt Kettler mkettler at ...4108...
Fri Jul 25 12:52:03 EDT 2003

At 01:13 PM 7/25/2003 -0600, Rich Adamson wrote:
> > It seems to be a common misunderstanding that flexresp actually works well
> > and is usable as a reliable alternative to a firewall.
> >
>Seems there are some that jump to the conclusion that flexresp's "only" use
>is as a firewall.

I made no such statement or assumption that firewalling is the "only" use. 
I merely stated it is a common misconception that it can be used as one.. A 
misconception supported by the current state of the documentation.

Were I to believe that flexresp only had use as a firewall, I'd be 
petitioning for the complete removal of flexresp from snort, not a 
correction of the documentation. After all, if the only use of a feature 
doesn't work, having the feature at all is misleading and foolish. But 
that's not the case. Flexresp has it's uses, but has its limits as well.

>It works very well for a number of other functions, and closely emulates
>functionality available in some commercial applications that are not sold
>as an IDS.
>But, the warning should still be included in the documentation. :)

Aye.. I never meant to imply it's useless, it's just got limits that the 
documentation fails to make the user aware of. If you read README.FLEXRESP 
you might well think "oh, this is how I can block packets", when that's not 
how it works.

More information about the Snort-users mailing list