[Snort-users] Dual home IDS? ACID and send email alerts on one, IDS on the other.

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Mon Oct 25 00:52:01 EDT 2004


--On 22 October 2004 23:05 -0700 Marty Hauser <martyhauser at ...5190...> wrote:


> My manager configured the Cisco switch to mirror all
> traffic to one port. That's what we want, but I'm told that this port is
> IP-less and no traffic can flow into or out of the IDS system. The IDS
> system is connected to this port and working perfectly. The issue is the
> IDS system can't send emails or access the functional ACID website.

That's normal.

> I thought of adding a second NIC and directing SNORT to monitor this NIC
> instead and connect the original NIC to the network on a normal port and
> regain email and ACID website support.

That's normal practice too. Make sure you protect any exposed services 
(e.g. by using a firewall - either on the IDS host, or between it and the 
outside world), or that you use a private administration segment that 
ordinary users are physically disconnected from.

> Thanks,
> Marty Hauser

Best Regards,
Alex.





More information about the Snort-users mailing list