Invisible Network Monitoring Sensor

[Cybex]

I was wondering if anyone knows how to build and configure a Linux system to sit inline on a SOHO network, to allow for PCAP archiving and security monitoring (ISD, AV, ETC...). I have an extra PC laying around (3GB RAM, 1TB Hard Drive, 4 GigE NIC's) and I would like to place it behind my FIOS router to dump the traffic and perform security analysis activities against it. I would prefer the system be invisible on the network (no ip address) and do it without the system being set up as the network gateway. I want to use the PC, no span ports/port mirrors and no network taps, hubs, etc...

I found the following on The Shmoo Group, but there was no other information and I am trying to accomplish it with Linux not BSD.

"FreeBSD can do very simple bridging without even assigning an IP to the interfaces you are bridging. Of course you'll have to run a sniffer like snort to make the sensor element complete. If you are using 3 interfaces (2 for the bridging and actual sniffing and 1 for sensor data output) you'd of course had to assign an IP to the 3rd interface (which would sit wisely on a separate IDS network). And with all the wonderful stealth IP kernel options it will be no trouble hiding the box."

Thanks,

Cy

Edited June 3, 2013 by Cybex

[digip]

Put something like monowall or one of the other firewall/IDS distros on the box(or can just use things like Snort and IPTables), install two nics, make it sit between the modem and the home router, and it will act as a firewall, IDS, packet filtering, squid proxy, DNS filter, can tcpdump traffic to logs and rotate them with cron jobs to save space every few days, etc. I'm not the guy to give instructions on how to set it up, since I consider myself a linux n00b, but I know the setups and tools, just not how to go about setting all of it up and scripting the jobs to do what you want, but pretty much any linux distro could be turned into this. pfsense I think comes with an all in one type setup as well for same easy home firewall/ids with email alert monitoring. I've just never had to set one up or use one myself.

[newbi3]

A friend of mine built a home IPS using ipfire, He has it sitting between his router and modem I personally haven't done it but he has and is able to do everything that you are wanting to do. Hope this helps.

[Cybex]

Got it... I needed to create a transparent bridge.

apt-get install bridge-utils

apt-get install tcpdump

brctl addbr br01
brctl addif br01 eth0
brctl addif br01 eth1
ifconfig br01 up
brctl show

tcpdump -i br01 -w dumpfile.pcap

Thanks for the input but both suggestions missed this point about not wanting the solution to have an IP address. Both recommendations are firewall/router solutions and both are visible on the network.

Thanks,

Cy