[Snort-users] Dual home IDS? ACID and send email alerts on one, IDS on the other.

Demetri Mouratis dmourati at ...3877...
Sat Oct 23 23:25:01 EDT 2004


On Fri, 22 Oct 2004, Marty Hauser wrote:

> Greetings,
>
>
>
> Thanks to the great work of the group behind and Patrick S. Harper
> <mailto:patrick at ...4250...> , his procedures are very good and
> I have Fedora Core 2 and snort 2.2.0 running perfectly. There is nothing
> wrong with the IDS system, this question is on an enhancement. My manager
> configured the Cisco switch to mirror all traffic to one port. That's what
> we want, but I'm told that this port is IP-less and no traffic can flow into
> or out of the IDS system. The IDS system is connected to this port and
> working perfectly. The issue is the IDS system can't send emails or access
> the functional ACID website. I thought of adding a second NIC and directing
> SNORT to monitor this NIC instead and connect the original NIC to the
> network on a normal port and regain email and ACID website support. Have you
> guy's any guidance/ experience with resolving an issue like this? Any help
> would really be appreciated.

You need the second nic to have a real IP on a non-mirror port.  Consider
turning off SSH and restricting physical access to the sensor box.  Also
consider sending syslogs from the sensor offline for review.
---------------------------------------------------------------------
Demetri Mouratis
dmourati at linfactory.com





More information about the Snort-users mailing list