Methodology Verification

["John Cherbini" <cherbini () dakotacom net>]

Hello everyone...

I just set up a couple of machines using the *excellent* documentation
at:

http://www.superhac.com/snort/

I have the web server and snort running on one machine, logging to
another machine running the mysql stuff.

I'm using both snortcenter and ACID.  Everything except the PHPLOT is
working very well.

My question is this:

I'm setting up a testing network that does not have a firewall.  I
basically want a snort machine with the external net on one side, and
the victim on the other side.  I really just want to be able to see the
attacks that take place on the victim.

Currently, the external interface on the snort box is getting a DHCP
address.

I want the snort box to basically be invisible.  I understand that this
can happen in a number of ways..

Am I looking at doing NAT to an internal subnet (the victim)?  Using
IPTables, etc....

Can I make snort transparent enough so that the victim machine will be
able to pull it's own DHCP address on the external subnet?  (a la
hogwash?)

Does the snort-inline do what I'm looking for?  It seems to be the same
thing as hogwash, is this correct?

The only real information I can find on inline is the recently released
toolkit for the honeynet project.

I basically have a logical gap in reasoning here.  Can anyone point me
to a doc that will clear this up?  Have any suggestions on how to make
the snort box relatively transparent?

Thanks for any tips!!

John Cherbini