Anyone running honeyd, arpd, and snort_inline?

["Jeffrey B. Murphy" <jbmurphy () gmail com>]

I am still try to figure all this out. I have a fedora core 3 box with
one NIC (no bridge or anything) I have arpd up and running. and I have
honeyd up and running. So how do I add snort_inline into the mix?

My understanding about snort_inline is that you use iptables and
"jump" the packet to queue. Then snort_inline takes over. But I can't
figure out how to get that far.
If I have my basic iptables set up to block everything (see below),
and traffic destined for my honeypot still get past my INPUT chain,
how can I pass the traffic to snort_inline? Wouldn't I want the
traffic from my INPUT chain passed to -j QUEUE?

For example:

arpd IPAddyOfHoneyPot
honeyd -d honeyd.conf

honeyd.conf:
create sticky
set sticky personality "Microsoft Windows NT 4.0 SP3"
set sticky default tcp action tarpit open
set sticky default icmp action open
bind IPAddyOfHoneyPot sticky

IptablesScript:
iptables -F
iptables -X

# Set Default Policy to drop everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

I send a ping from a different SourceMachine to the the destination of
IPAddyOfHoneyPot.
On the source machine I get:
3 packets transmitted, 0 packets received, 100% packet loss.
On the honeypot I get:
honeyd[PID]: Sending ICMP Echo Reply: IPAddyOfHoneyPot -> SourceMachine
honeyd[PID]: couldn't send packet: Operation not permitted

My take on what is going on is that the traffic to arpd is bypassing
the INPUT chain, and making it to honeyd. (I don't understand how).
Then the return traffic is not making it back to the SourceMachine
because of the OUTPUT rule to DROP (iptables -P OUTPUT DROP).

So my question is, how can I get snort_inline to work if I can control
traffic flow to the honeypot (in this case, control being dropping the
packet.

Help? Does any one run arpd, snort_inline and honeyd? Thanks.