If you wish to have the card be semi-stealth, but still be reachable
over the net (it'd be better, for 'real' hardening, if you left it
non-IP), then you can give it a 'private' non-used address
in another subnet (say, 192.168.251.225/30 ). The corresponding
address (192.168.251.226/30 ) would belong to your 'controlling'
machine (probably on eth0:1).
Only two address can fit into a /30 subnet, so if your box
doesn't route to it, it should be pretty hard for someone else
to talk to it. Someone else snooping on the net could still
see the packets between the machines and, thus, know about
the existence of your snort box, but they should have a
hard time talking to it without your permission.
BTW: On Linux, you can apparently remove a card's IP address
by giving it an address of '0'.
Renaud, Andre wrote:
> One of the easiest ways is to simply not give the card an IP address,
> it can still go into promiscuous mode, and works fine under snort
....
--
Stephen Samuel +1(604)876-0426 [EMAIL PROTECTED]
http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.
