Snort mailing list archives
Re: Snort VM monitoring other VMs (virtual environment)
From: turki <turki_00 () yahoo com>
Date: Wed, 13 Apr 2011 14:43:15 -0700 (PDT)
Hi Crusty Saint, kindly, can you explain more on your point "If at all applicable a span-port would do the magic you're looking for." I really need the help --- On Tue, 4/12/11, Crusty Saint <saintcrusty () gmail com> wrote: From: Crusty Saint <saintcrusty () gmail com> Subject: Re: [Snort-users] Snort VM monitoring other VMs (virtual environment) To: "turki" <turki_00 () yahoo com> Cc: snort-users () lists sourceforge net Received: Tuesday, April 12, 2011, 6:29 PM Would this not require some sort of vlan set-up ? http://open.eucalyptus.com/wiki/EucalyptusNetworkConfiguration_v2.0 documents there are multiple network modes available. If at all applicable a span-port would do the magic you're looking for. 2011/4/12 turki <turki_00 () yahoo com> Hi Mike, Unfortinatly, I am not using VMware products. I am using Eucalyptus cloud http://open.eucalyptus.com/ --- On Mon, 4/11/11, Mike Lococo <mikelococo () gmail com> wrote: From: Mike Lococo <mikelococo () gmail com> Subject: Re: [Snort-users] Snort VM monitoring other VMs (virtual environment) To: snort-users () lists sourceforge net Received: Monday, April 11, 2011, 11:19 PM
I am running Snort 2.9 on a virtual machine with 1 NIC (eth0) and I manage to detect and log alerts generated from it. (I will call it
Snort-VM) My question, if I run another virtual machine (I will call it App-VM)within the same network of the
Snort-VM (same subnet mask).
Will I be able to configure Snort-VM to pick up traffic generated from App-VM? So in general, Is it even possible to let Snort log traffic for other virtual machines?
It is possible. There are two general paths: 1) Configure your vswitch to ship the traffic to your sniffer-vm. It won't do this by default, but it can be done. 2) Use a virtual-appliance of some kind that supports sniffing. Solera has something, I think, and there are some other security-specific appliances that hook into VMWare on a fairly low level to monitor clients in special ways (Anti-Virus VM's that do memory inspection of all clients on a host, for example). Check out this link, which has a decent overview of sniffing on ESX: http://vmetc.com/2009/03/12/virtual-machine-sniffer-on-esx-hosts/ Cheers, Mike Lococo ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- - - -Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list
------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort VM monitoring other VMs (virtual environment) turki (Apr 11)
- Re: Snort VM monitoring other VMs (virtual environment) Jason Wallace (Apr 11)
- Re: Snort VM monitoring other VMs (virtual environment) turki (Apr 11)
- Re: Snort VM monitoring other VMs (virtual environment) Mike Lococo (Apr 11)
- Re: Snort VM monitoring other VMs (virtual environment) turki (Apr 12)
- Re: Snort VM monitoring other VMs (virtual environment) Crusty Saint (Apr 12)
- Re: Snort VM monitoring other VMs (virtual environment) turki (Apr 13)
- Re: Snort VM monitoring other VMs (virtual environment) turki (Apr 12)
- Re: Snort VM monitoring other VMs (virtual environment) Jason Wallace (Apr 11)