Re: snort sensor on virtual machine...

[Dave Corsello <snort-users () wintertreemedia com>]

You do need to allow promiscuous mode on the vSwitch.  Edit the Virtual
Machine Port Group in the vSwitch properties, and on the Security tab,
check Promiscuous Mode and choose Accept from the pull-down.

--Dave

On 4/11/2012 1:15 PM, Ian Bowers wrote:
> Hi all,
>
> I'm reply from digest, so I apologize if this has already been answered.
>
> I actually have a snort setup with ESXi right now. Not only is it
> possible, but there are some advantages to doing it on a VM.  the only
> requirement as far as the ESXi host goes is having 2 physical NICs.
>
> First, setting it up is easy.   Basically you have your ESXi host with
> 2 physical NICs.  in this example, vmnic0 is assigned to vswitch0, and
> vmnic1 is assigned to vswitch1. vswitch0 operates as normal with all
> your VMs on it, talking to the outside switch as it always would.
>  vswitch1 is set up as a plain virtual switch with one VM Network
> assigned to it.  I labeled mine "SpanNetwork" to differentiate it from
> the other port group not using VLAN tags.  Your snort box is set up on
> a VM with 2 virtual NICs.  One NIC is set up as normal, going through
> vswitch0 to whatever vlan you need it to go to for remote access. The
> other is assigned to SpanNetwork on vswitch1.  
>
> Next set up the SPAN port on your switch and connect the destination
> port to vmnic1 on your ESXi host.  That's all there is to it.  The
> reason this works is that the SPAN traffic is just mirrored packets.
>  when vswitch1 gets them, it behaves like a proper switch and floods
> all ports except the incident port with the traffic. in this case
> there's only one other port, which goes to the sensor interface on the
> snort VM.  I think you might need to turn on promiscuous mode on
> vswitch1, but I'm not certain.
>
> The light might have already gone off in your head, but this is where
> the bonus lies.  Any VM on that ESXi box can have an interface on
> vswitch1 and will get a copy of the traffic.  On my ESXi host right
> now I have two Security Onion boxes set up, one running Snort and the
> other running Suricata, to compare how they both operate in my
> environment.  It works great, they both get perfect copies of the
> traffic to their sensor interfaces.
>
> Regards,
> Ian
>
>     Message: 1
>     Date: Wed, 11 Apr 2012 12:03:56 -0430
>     From: Paul Marin <pmarinh45 () gmail com <mailto:pmarinh45 () gmail com>>
>     Subject: Re: [Snort-users] snort sensor on virtual machine...[?]
>     To: snort-users () lists sourceforge net
>     <mailto:snort-users () lists sourceforge net>
>     Message-ID: <4F85B274.1060309 () gmail com
>     <mailto:4F85B274.1060309 () gmail com>>
>     Content-Type: text/plain; charset=ISO-8859-1
>
>     Hi,
>
>     I am not completely sure, but I believe you cannot set up a
>     virtual nic
>     for capturing packets from a SPAN/mirror port since you don't have
>     direct physical access to the port. This is something i tried to
>     accomplish in VMware ESXi and i couldn't. I don't know if others
>     virtualization software can do that. (Someone please correct me if I'm
>     wrong).
>
>     So, this is something to take in count when running snort in a vm.
>
>     By other hand, snort tends to consume a lot of CPU resources. So,
>     maybe
>     it's better to dedicate a whole server to snort instead of sharing it
>     with others apps.
>
>     However, if you are planning to run add-on tools like sguil or
>     snortsam,
>     the sguil-server and the snortsam-agent components can surely be
>     run in
>     virtual enviroments.
>
>     Kindly,
>
>     Paul
>
>
>
> ------------------------------------------------------------------------------
> Better than sec? Nothing is better than sec when it comes to
> monitoring Big Data applications. Try Boundary one-second 
> resolution app monitoring today. Free.
> http://p.sf.net/sfu/Boundary-dev2dev
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!