Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
0
Helpful
3
Replies

IDS MC and forwarding to another PostOffice

pbobby
Level 1
Level 1

‎02-10-2003 07:29 AM - edited ‎03-09-2019 02:01 AM

Using CSPM 2.3.3i, it was of course possible to forward all alerts received by CSPM to another PostOffice listener.

It does not appear possible using IDS MC and Security Monitor.

I briefly looked at Event Rules and Database Rules, but that doesn't appear to be the way to it, at least elegantly.

I'm about to edit the postoffice/etc/destinations and postoffice/etc/routes files manually; but wanted to ask here before I do that.

Labels:
0 Helpful
3 Replies 3

wkho
Level 1
Level 1

‎02-11-2003 07:05 AM

Hi,

You may want to try another way. I have my IDSM blades reporting to two different locations(The IDS MC and another device that listens for PostOffice). To do that, select the device. Under TOC for that device, select remote host and add a second host.

Thanks,

William

0 Helpful

pbobby
Level 1
Level 1
In response to wkho

‎02-11-2003 09:16 AM

Thanks for the reply.

I should have mentioned that I had considered that. I run 25+ probes, and the destination, other than IDS MC, that I want all alerts to go to is a system located behind two firewalls; would require lots of rules.

Anyway, looks like I'll just be manually editing the postoffice configuration files; routes, hosts, smid, destinations etc.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to pbobby

‎02-11-2003 01:47 PM

That method probably will not work.

Editing the routes and hosts files may setup the communication channel, but it is smid that actually forwards the alarms.

The routes and hosts files also get dynamically modified when sensors are added or removed by Security Monitor.

Smid in CSPM and the Unix Director both support the forwarding of alarms to other boxes. The smid used in Security Monitor, however, is not the same smid used in CSPM. In fact Security Monitor's own processes replace the older traditional smid in order to boost performance, and so will ignore any changes you might make to smid.conf.

The forwarding of alarms by Security Monitor is on the list of requests for future versions.

In CSPM and Unix Director the multi-tier system was more necessary because each GUI could really only support one local user. So a remote user needed forwarded copies of the alarms.

With the Security Monitor, however, there is now multi-user support. If the users at the higher tier system needed to view alarms on Security Monitor then you can simply allow an incoming web connnection (configure the firewalls to allow it) from the ip addresses of the users on the higher tier to access the Security Monitor and even the IDS Management Center of the lower tier. You can even give the higher tier users their own usernames/passwords and can restrict their access if necessary, and the connection can be encrypted with SSL.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents