Re: how to build an inline ids?

["Gregory Perry" <gvp () cadreng com>]

Use FreeBSD or OpenBSD in a layer-2 bridge configuration; basically an x86 machine with two NICs, one "external" and 
one "internal".  Put this box directly after your connection to the 'net, and in front of any machines that you want to 
protect.  Don't assign IP addresses to those two interfaces if you are really paranoid, have snort listen on the 
external NIC.  You can also use this as a transparent firewall, and with a third party add-on such as hogwash you can 
do more advanced things like active blocking of attacks.

---------------------------------

"Any sufficiently advanced technology is indistinguishable from magic"
-- Arthur C. Clarke

The following message was sent by spy guy <spyguy703 () earthlink net> on 15 Nov 2002 15:00:45 -0800.

> I have a question and I was hoping someone could help.
>
> Is it possible to build an x86 based PC as an in-line IDS?
>
> I want to install Snort IDS at home, but have no taps or equipment that
> can mirror/span ports.
>
> Can I build a Linux PC with 2 nics and put it inline between my firewall
> and adsl modem?
>
> I would like to have the NIC's in some sort of 'Stealth mode', so that
> no IP's are needed and thus my network config will not change. I just
> want the NIC's to pass traffic in both directions and then run snort to
> monitor the traffic on both.
>
> Is there a way to do this?