[Snort-inline-users] IPS not bridging traffic + other questions

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

List:

I have several questions regarding Snort-Inline and hope someone may be
able to answer a few, if not all:

1) Does anyone know of any newer operating system distros that have the
ebtables/bridging firewall patch implemented into the default kernel
other than Redhat 7.3 (e.g. Fedora or other Linux distros) that would
not require additional patching of the kernel.

2) We are troubleshooting connectivity issues with a Redhat 7.3
installation of the latest 2.1.3 Snort-Inline release. Can anyone
provide a list of troubleshooting steps they take when connectivity
becomes an issue? I'm using the RC.FIREWALL script provided on
honeynet.org. If anyone can look at the below and let me know if they
see anything I've missed, that would be great!:

  a) Ive made sure ipqueue is loaded with lsmod
  b) Ive made sure the rc.firewall script started with no errors
  c) Ive made sure snort_inline was running with -Q
  d) Ive made sure the 2 interfaces have been bridged and the right
     cat5 cables are plugged in to the appropriate NIC.
  e) Ive modified the rc.firewall script to make everything that has
     DROP set, set to ALLOW.

3) In both customer and internal deployments of Snort-Inline, we
continue to use the rc.firewall script from Honeynet even though all
deployments have not been for honeynets, rather, just a perimeter IPS.
The rc.firewall script is geared towards honeynet deployments. Does
anyone know of a different rc script that has been made for non-honeynet
deployments that is geared more towards just setting up a bridged
snort-inline box that does not do any firewalling and simply passes the
traffic straight through the IPS -- none of the fancy ipfilter rules,
just ALLOW all rules. For the interim, an ugly hack we've done is to
simply do a search/replace on the DROP keyword in the rc.firewall script
to ALLOW. Im sure there has got to be someone on this list that has done
an Enterprise deployment of Snort-Inline and relied on their already
deployed firewalls to handle firewalling and wanted the snort-inline
bridge to simply pass all traffic in/out. 

Someone please advise on any one of these item #s.

-- 
Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, Inc.
1134 N. Main St.
Algonquin, IL 60102
Direct: (877) 262-7593 x327
http://www.appliedwatch.com