[Snort-inline-users] snort inline issues

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I want to setup an inline server that will eliminate spyware from our
network here at the office.  Help desk had a rough week a few weeks ago
so they asked me to help out--I found inline.

I setup inline using the config files and scripts (rc.firewall to name
one) available from the folks at the honeynet project.  I am running 2.4
kernel and the ipqueue mod is running.  I set the inline box as my
gateway and when I use the default rules from the honeynet project I get
no log entries (when I visit evil places).  I have found snort rules
that drops based on the IP... After I add said rules I visit the folks
over at Alchemy/Internet fuel and I cannot load their page.  Moreover I
see snort_inline logs generated for the event in question. This is the
only time I can generate logs and have seen success with inline.  I
would rather not attack this issue from an IP based approach.  I can add
those IP's to my firewall if I wanted to do that :)

I have also tried the bleeding snort malware rules and converted them to
drop rules using the convert script form honeynet. No logs are generated
from visiting known spyware havens. =20

On one hand I think the server is setup correctly--I mean I get a
success with the IP based approach.  On the other hand pure snort rules
don't seem to work at all--sny help would be appreciated.

Thanks