Snort IDS noobie

[srich]

What I am trying to do is set-up a snort box/ids from my cable modem to my linksys wireless/hardwire router to sniff traffic for intrusions. I have a quad core running 6g ram with fedora core 11 and a 500g harddrive. I have two eth's (eth0/eth1) to allow traffic to pass through from one eth to the other and onto the network and back out to the internet.

I can get snort to work but having trouble getting the box to allow the traffic to flow both ways (in/out) and logging it to the mysql database so base can see it.

I have used several tutorials and spent countlees hours/days on this project. I have a small server farm with 4 nodes set up on an lbs using apache along with a "hot lbs" also using apache to load balance the webservers.

I had someone use a bot on me and did the long but I felt right thing to do in changing my ip and reinstalling all computers from scratch. I also did away with the DMZ (BAAAAAD!) and am using port forwarding at the router as well as locked down all my boxes to use only necessary ports etc. This has stopped the attack but I am concerned about new ones and I don't/can't do that for every attack that may occur.

Does anyone know of a very exhaustive/comprehensive installation guide for a very new noobie on this IDS question. If so I could really use your help here. Again the hours alone spent on this is getting to be somewhat counter productive.

Things I need to know....

Do I need to setup my box as a DNS with snort/base/adodb/php-pear etc to allow the traffic to flow both directions?

If so what should be the basic configurations?

Or is there a way to just bridge/connect the two eth's (eth0/eht1) so that the traffice simply passes through and snort sniffs it as it passes through?

Again, if this is the way to do it then how do I bridge these two eth's together and how should they be configured (ip/net mask/etc) so that they are just there to allow the traffic to flow and they don't change/block or otherwise interfere with the traffic unless snort shuts it down as an intrusion/suspicious activity.

I know from reading these posts that there are some very talented/knowledgable people here so this is my first choice to get help. Thanks in advance.

I know I am a noobie so feel free to "dumb down" your response. I won't be offended....hehe.

[srich]

Ok after several more hours of searching I have found this program called Hogwash. Anyone that can give any advice Good-Bad-Ugly... I would greatly appreciate it.

Also, Hogwash can be used as an inline scrubber so I now know from the white paper that I have to edit the kernel and disable the TCP/IP handling layer and then reestablish the eth0/eth1 by using nettools. This allows the traffic to flow unless hogwash drops it for suspicious activity. Hogwash uses the Snort Engine so this should be just what I am looking for.

I know now that the box can't have an ip/address to sit in between the internet and the router. So really just looking now for anyone with any experience with the hogwash as an inline scrubber and if this is Good-Bad-Ugly...etc.

Thanks again,