I was wondering if anyone knows how to build and configure a Linux system to sit inline on a SOHO network, to allow for PCAP archiving and security monitoring (ISD, AV, ETC...). I have an extra PC laying around (3GB RAM, 1TB Hard Drive, 4 GigE NIC's) and I would like to place it behind my FIOS router to dump the traffic and perform security analysis activities against it. I would prefer the system be invisible on the network (no ip address) and do it without the system being set up as the network gateway. I want to use the PC, no span ports/port mirrors and no network taps, hubs, etc...
I found the following on The Shmoo Group, but there was no other information and I am trying to accomplish it with Linux not BSD.
"FreeBSD can do very simple bridging without even assigning an IP to the interfaces you are bridging. Of course you'll have to run a sniffer like snort to make the sensor element complete. If you are using 3 interfaces (2 for the bridging and actual sniffing and 1 for sensor data output) you'd of course had to assign an IP to the 3rd interface (which would sit wisely on a separate IDS network). And with all the wonderful stealth IP kernel options it will be no trouble hiding the box."
Thanks,
Cy