Graham Freeman wrote:
> Hi, folks,
> I want to deploy a Snort IDS in the network, with feeds from passive
> taps in front of and behind my m0n0wall firewall. Currently I'm
> running a Soekris net4801 w/ lan1621 for a total of 5 network ports.
> I'll use a separate server or two for Snort, but I don't want to
> deploy another layer of potential failures by installing network hubs
> that I wouldn't need otherwise. I also don't want to use my Snort
> server(s) as bridges - I want my network to stay up even if the IDS
> hardware fails or is taken offline for maintenance.
> I'm only using three of my five network ports on the m0n0/Soekris box
> - can I set up the other two ports so that they mirror LAN & WAN
> traffic? If so, how?
> Any help would be appreciated. I'm willing to donate a modest sum to
> make this happen. This is for the colocation arm of a growing
> technology cooperative, so we have some money but not a ton.
m0n0wall can't do this currently, and I don't know if it ever will. Do
you have managed switches in the appropriate locations? Most managed
switches will let you set up spanned or mirrored ports just for things
like this. If you don't have managed switches, I know a Cisco 2900XL
will do it, and those are can be purchased very cheaply.
phil at brutsche dot us