[Snort-users] Re: Snort in VMware

Stephen W. Thompson thompson at ...1017...
Thu Feb 19 06:37:34 EST 2004


On Wed, 18 Feb 2004, Brian McNeilly <bmcneilly at ...9344...> wrote:

> Here's a summary of my setup: I am using VMware GSX Server for my Snort
> box. The guest OS where Snort is installed is running RedHat9, and the
> host is running Windows XP Pro.
>
> Everything seems to work great, except I can only see packets coming to
> and from my host IP address: nothing else from the network appears in the
> Snort logs. The host machine is connected to a non-switching hub, and the
> linux interface on the guest is set to promiscuous mode. What I want to
> scan is every packet going through the hub, regardless of the source and
> destination addresses.
>
> Has anyone had issues with running Snort on a VMware guest? Is there
> anything else I need to check to make sure my connection sees all the
> packets from the hub?

With Linux as guest and Linux as guest on version 2.x of VMware, I
had that sort of problem.  I needed to make sure that the user VMware
was running as had rights to the network resource I was trying to
use.  In that case, there was a /dev/vmnet<wildcardhere> file that
needed to be r/w permissions for the vmware user.  Glancing through
the VMware website's knowledgebase, there are various utilities which
newer versions provide.  See, for example,

  http://www.vmware.com/support/esx2/doc/esx20admin_netwk5.html

En paz,
Steve
-- 
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236
  The only safe choice: Write e-mail as if it's public.  Cuz it could be.




More information about the Snort-users mailing list