> You can actually go two routes for a good snort box in an untrusted zone. > > 1) Bastille, which has been mentioned before, or Bastille is wonderful.
> 2) Don't give the box an IP address. I don't know the specifics, but > I've seen in CERT lists that you can put the NIC in promiscuous mode > without an IP. The box will still receive all of the packets on the > wire, but it won't be able to reply and the black hats won't be able to > see the box. You'll have to do everything from the console, but you'll > have a truly hack-proof box. This isn't very difficult actually, and is probably well worth doing. Just configure your NIC as normal, but do *not* assign it an IP address or use DHCP. Then 'ifconfig eth0 up' will "enable" the NIC. Snort will place it in promiscuous mode, and start listening! This, however, requires that this is all the machine can do though. Nothing can be sent from this box (unless you have two NIC's, and the other has an IP but this defeats the purpose a bit). -- // Andrew MacKenzie | http://www.edespot.com // GPG public key: http://www.edespot.com/~amackenz/public.key // veritas nunquam perit // 'Truth never dies'
pgp00000.pgp
Description: PGP signature
