I have an odd question. I have been looking for a way to make a "poor man's" Interspect. Checkpoint has a "system" that sits on a segment. It watches all traffic (at layer 2 I assume) for packet signatures and matches them to a database of virus or IDS signatures. If it sees a positive match it will block all traffic from the offending machine and disable any routes. Effectively keeping "bad" systems from infecting other non-patched systems on the LAN.

I know that I can put my firewall in bridged mode dropping it to layer 2 as a network hop basically but still filtering per my rules. I can also add Snort to beef up what is seen and alert. My question is, how could I also effectively block an offending machine?

My assumption is an auto-rule to "block any from offending ip".

snort-inline maybe???

Yeah, Snort can send RST's to both parties or use 3rd party apps to help blocking by firewall.

Can you possible provide a link to docs on implementing snort sending rst's? I found this but was unable to grasp exactly what it is saying

http://www.snort.org/docs/snort_manual/node16.html

One other question; since snort just watches the traffic, not route it, wouldn't it be possible for a host to be infected/compromised before snort could process the rule and send back a rst packet?