[Snort-users] Re: Snort in VMware

Stephen W. Thompson thompson at ...1017...
Thu Feb 19 06:37:34 EST 2004

On Wed, 18 Feb 2004, Brian McNeilly <bmcneilly at ...9344...> wrote:

> Here's a summary of my setup: I am using VMware GSX Server for my Snort
> box. The guest OS where Snort is installed is running RedHat9, and the
> host is running Windows XP Pro.
> Everything seems to work great, except I can only see packets coming to
> and from my host IP address: nothing else from the network appears in the
> Snort logs. The host machine is connected to a non-switching hub, and the
> linux interface on the guest is set to promiscuous mode. What I want to
> scan is every packet going through the hub, regardless of the source and
> destination addresses.
> Has anyone had issues with running Snort on a VMware guest? Is there
> anything else I need to check to make sure my connection sees all the
> packets from the hub?

With Linux as guest and Linux as guest on version 2.x of VMware, I
had that sort of problem.  I needed to make sure that the user VMware
was running as had rights to the network resource I was trying to
use.  In that case, there was a /dev/vmnet<wildcardhere> file that
needed to be r/w permissions for the vmware user.  Glancing through
the VMware website's knowledgebase, there are various utilities which
newer versions provide.  See, for example,


En paz,
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236
  The only safe choice: Write e-mail as if it's public.  Cuz it could be.

More information about the Snort-users mailing list