We have a need to see any traffic that involves certain subnets, external or internal, in a network where we have IDS, not IPS. This traffic does not trigger intrusion events that MSM will detect. We could use an ACL to direct this activity to a syslog server, but then we lose any intrusion event data in McAfee. I have heard this has been done with UDS events but it would be helpful to have some guidance from anybody who has done this. Thanks.
I'd like to be able to do that as well. I've attempted to create a UDS with fixed-field values for the IP addresses that I needed to monitor but there is a limitation of ten values which didn't cover my list. You can increase the limitation to 50 but I don't know if that has performance consequences or not. I don't know why the limitation is so low. We used to watch large ranges of IP addresses with a competing sensor without any problems.
Thanks for the response, Bob. Yes, I know of 2 of their competitors in IPS/IDS that make this sort of tracing comparatively easy for ranges of IP addresses if not CIDR-defined ranges. The MSM monitors more networks than we have sniffers or sniffer access.