From: Phinizy W. H. <phi...@ba...> - 2004-12-29 18:21:08
|
I want to setup an inline server that will eliminate spyware from our network here at the office. Help desk had a rough week a few weeks ago so they asked me to help out--I found inline. I setup inline using the config files and scripts (rc.firewall to name one) available from the folks at the honeynet project. I am running 2.4 kernel and the ipqueue mod is running. I set the inline box as my gateway and when I use the default rules from the honeynet project I get no log entries (when I visit evil places). I have found snort rules that drops based on the IP... After I add said rules I visit the folks over at Alchemy/Internet fuel and I cannot load their page. Moreover I see snort_inline logs generated for the event in question. This is the only time I can generate logs and have seen success with inline. I would rather not attack this issue from an IP based approach. I can add those IP's to my firewall if I wanted to do that :) I have also tried the bleeding snort malware rules and converted them to drop rules using the convert script form honeynet. No logs are generated from visiting known spyware havens. =20 On one hand I think the server is setup correctly--I mean I get a success with the IP based approach. On the other hand pure snort rules don't seem to work at all--sny help would be appreciated. Thanks |