[Snort-users] More explanation needed in Snort User Manual for "resp:"?

Jason Haar Jason.Haar at ...294...
Thu Nov 6 14:16:12 EST 2003

On Thu, Nov 06, 2003 at 04:58:59PM -0500, Kristofer T. Karas wrote:
> To deal with the NAT issues, just place your promiscuous feed inbound 
> from your NAT box, e.g. in your DMZ.  Snort will only see your inside IP 
> addresses, which is, after all, what you really want anyway; there's no 
> point in reporting issues with a shared IP address, as you can't (in 
> general) track that back to a specific post-NAT machine.

I think you're pointing out one big assumption in my arguement. I want Snort
to be monitoring within our DMZes for two reasons:

1> it won't catch all the cr*p the Internet throws at our firewall - only that
   which it deems appropriate gets into the DMZ - and into Snorts view
2> it can see DMZ - to - DMZ traffic

Putting Snort in front of the NAT firewall would remove my issues with
flexresp - but it doesn't fix the fact that my alerts would go up - let's
guess - 1000%?. Oh, and I wouldn't see DMZ - to - DMZ traffic anymore.

More Snort boxes would solve it - but I don't like that as a fix.

I think flexresp2 will fix my problem. Separate configs with separate
instances of Snort should mean I'll get to pump RESETs out the correct


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list