[Snort-users] Re: Snort in VMware
Stephen W. Thompson
thompson at ...1017...
Thu Feb 19 06:37:34 EST 2004
On Wed, 18 Feb 2004, Brian McNeilly <bmcneilly at ...9344...> wrote:
> Here's a summary of my setup: I am using VMware GSX Server for my Snort
> box. The guest OS where Snort is installed is running RedHat9, and the
> host is running Windows XP Pro.
> Everything seems to work great, except I can only see packets coming to
> and from my host IP address: nothing else from the network appears in the
> Snort logs. The host machine is connected to a non-switching hub, and the
> linux interface on the guest is set to promiscuous mode. What I want to
> scan is every packet going through the hub, regardless of the source and
> destination addresses.
> Has anyone had issues with running Snort on a VMware guest? Is there
> anything else I need to check to make sure my connection sees all the
> packets from the hub?
With Linux as guest and Linux as guest on version 2.x of VMware, I
had that sort of problem. I needed to make sure that the user VMware
was running as had rights to the network resource I was trying to
use. In that case, there was a /dev/vmnet<wildcardhere> file that
needed to be r/w permissions for the vmware user. Glancing through
the VMware website's knowledgebase, there are various utilities which
newer versions provide. See, for example,
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236
The only safe choice: Write e-mail as if it's public. Cuz it could be.
More information about the Snort-users