[Snort-users] Dual home IDS? ACID and send email alerts on one, IDS on the other.

Demetri Mouratis dmourati at ...3877...
Sat Oct 23 23:25:01 EDT 2004

On Fri, 22 Oct 2004, Marty Hauser wrote:

> Greetings,
> Thanks to the great work of the group behind and Patrick S. Harper
> <mailto:patrick at ...4250...> , his procedures are very good and
> I have Fedora Core 2 and snort 2.2.0 running perfectly. There is nothing
> wrong with the IDS system, this question is on an enhancement. My manager
> configured the Cisco switch to mirror all traffic to one port. That's what
> we want, but I'm told that this port is IP-less and no traffic can flow into
> or out of the IDS system. The IDS system is connected to this port and
> working perfectly. The issue is the IDS system can't send emails or access
> the functional ACID website. I thought of adding a second NIC and directing
> SNORT to monitor this NIC instead and connect the original NIC to the
> network on a normal port and regain email and ACID website support. Have you
> guy's any guidance/ experience with resolving an issue like this? Any help
> would really be appreciated.

You need the second nic to have a real IP on a non-mirror port.  Consider
turning off SSH and restricting physical access to the sensor box.  Also
consider sending syslogs from the sensor offline for review.
Demetri Mouratis
dmourati at linfactory.com

More information about the Snort-users mailing list