[Snort-inline-users] Scripts/Snort_inline/iptables and bridging/Snort Output questions...

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Ive done tons of reading and research so these questions are not being =
asked blind.

1. I know for inline we have to use the snort_inline.conf.  But why is =
the snort.conf also in the /etc/ directory when you unpack snort_inline? =
 What do we need that for?  Im guessing we can run two instances of =
snort, and reference snort_inline.conf for the blocking ruleset, and =
reference the 2nd instance of snort for alerting or traffic sniffing =
(for honeynet) purposes?  But if this is the case, wouldnt we have to =
install regular snort for the 2nd instance?  Can snort_inline be used =
and act like regular snort if called with snort.conf?

2. I read the Honeynet GenII paper, which talks about how to setup the =
rc.firewall.script.  It is straight forward.  I do not see anything in =
snort_inline.conf that references rc.firewall.script.  I assume you have =
to run the script first, then run snort_inline.  What command do you use =
to envoke rc.firewall.script?

3.  I also would like to use the snort_inline startup script.  What do I =
need to do to use that as well?

4. I am using a 2.6 kernel (Fedora 3).  I read through all of the =
bridging how to docs, and confirm I have the bridging packages installed =
properly in the kernel.  I read about possibly needing some patches to =
allow bridging to work with iptables.  The bridging website did not have =
any patches, and mentioned not worrying if you are using new 2.4 and 2.6 =
kernels.  I just want to doublecheck since Im asking all these questions =
anyway.  Am I correct if I say the 2.6 kernel does not need the a patch =
because bridging and iptables working together is built into the new =
kernels?

5. The output method for snort_inline.conf are:
alert_fast
alert_full
alert_fast gives you limited information, and alert_full slows Snort =
down a lot.  I believe both these plugins ask snort to do some extra =
work to convert from binary to ascii and log it.  Can I just have =
snort_inline use the unified binary output plugin for the fastest speed? =
 Then use Barnyard to gather logs and output to database?  I would like =
to test snort_inline in a gigabit+ environment.

Thanks

Peter