[Snort-users] FW: Can Snort monitor multiple VLANs on a VM?

Jun Wan junwei_wan at ...125...
Fri Apr 9 21:36:32 EDT 2010


Hi Kirby,
 
Oops! the core switches in my network diagram are Huawei L3 core routing switch platform.
 
Cheers
 
John 

----------------------------------------
> From: junwei_wan at ...125...
> To: kirby.boteler at ...14814...
> CC: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Can Snort monitor multiple VLANs on a VM?
> Date: Fri, 9 Apr 2010 21:05:59 +0000
>
>
> Hi Kirby
>
> Please see more details in the attached network diagram.
>
> There are four physical DELL machines hosting our ESX4.0 (virtual machine environment), there are 6 Nics on each Dell machine: 2 NICs for live virtual servers, 2 NICs for Dmotion, and 2 NICs for console. So there are 2x4=8 NICs for all live virtual servers on four physical DELL machines (our ESX4.0 environment).
>
> Snort is really interested in these 8 NICs for all live virtual servers, and these 8 NICs are evenly distributed and connected to our two cores ( core router and redundant core router): 4 NICs from Four physical DELL machines are connected to the core, and other 4 NICs are connected to the redundant core (please see the attachment for more details). These 8 NICs are connected to 8 ports with the following configuration on the core and the redundant core:
>
> hybrid link type
> with VLAN 1, VLAN 20 tagged, and
> the hybrid PVID is VLAN20.
>
> There are 3 virtual NICs on my Snort Virtual Machine (VM), which are from resource pools on the ESX4.0 environment. Now there is a problem: How can I configure "port mirroring" on the "virtual environment" as the same way I did for Snort on my physical Accer machine?
>
> Any information and help would be much appreciated.
>
> Thanks.
>
> Regards
>
> John
>
>
> ----------------------------------------
>> Subject: RE: [Snort-users] Can Snort monitor multiple VLANs on a VM?
>> Date: Fri, 9 Apr 2010 09:23:47 -0500
>> From: Kirby.Boteler at ...14814...
>> To: junwei_wan at ...125...
>>
>> What sort of physical switch are you connecting your physical nic to? I assume you want to see network traffic that is passing on the vlans that are configured on the physical switch?
>>
>> Kirby Boteler | Director of Information Technology
>> Waggoner Engineering, Inc. | 143-A LeFleurs Square | Jackson, MS 39211
>> office: (601) 355-9526 |  fax: (601) 352-3945 | kirby.boteler at ...14814...
>>
>>
>> -----Original Message-----
>> From: Jun Wan [mailto:junwei_wan at ...125...]
>> Sent: Friday, April 09, 2010 12:38 AM
>> To: Kirby Boteler
>> Subject: RE: [Snort-users] Can Snort monitor multiple VLANs on a VM?
>>
>>
>> Hi Kirby,
>>
>> Thanks for your reply.
>>
>> In my physical Accer machine, all I did was to mirror the network traffic form the uplink fiber port (source) to the port (destination) the Accer box is connected to (these two ports are on the same switch).
>>
>> Is this the question you asked me? ---- port mirroring configuration on switch?
>>
>> I don't know what to configure on switches for my VM's case, this is because of all 3 NICs on my VM are virtual NICs, which are not really relevant to any physical ports on the switches. Please see more details of ESX enviroment and how ESX machines are connected to our cores.
>>
>> If we can't configure ports to monitor those vlans on a VM, then Snort wouldn't be able to monitor in a VM environment. Is that right?
>>
>> Any information and help would be much appreciated.
>>
>> Thanks again.
>>
>> Regards
>>
>> John
>>
>>
>> ----------------------------------------
>>> Subject: RE: [Snort-users] Can Snort monitor multiple VLANs on a VM?
>>> Date: Thu, 8 Apr 2010 16:15:36 -0500
>>> From: Kirby.Boteler at ...14814...
>>> To: junwei_wan at ...125...
>>>
>>> Have you configured your switch port to monitor those vlans?
>>>
>>> Kirby Boteler | Director of Information Technology Waggoner
>>> Engineering, Inc. | 143-A LeFleurs Square | Jackson, MS 39211
>>> office: (601) 355-9526 | 7 fax: (601) 352-3945 |
>>> kirby.boteler at ...14814...
>>>
>>>
>>> -----Original Message-----
>>> From: Jun Wan [mailto:junwei_wan at ...125...]
>>> Sent: Thursday, April 08, 2010 1:13 AM
>>> To: snort-users at lists.sourceforge.net
>>> Subject: [Snort-users] Can Snort monitor multiple VLANs on a VM?
>>>
>>>
>>> Hi,
>>>
>>> I am new to Snort, I followed the instructions on this url:
>>> https://wwwx.cs.unc.edu/~hays/archives/work/index.php
>>>
>>> All went well, Snort is running well and I am having many Snort alerts in the BASE and terminal.
>>>
>>> Snort 2.8.4.1 and Barnyard2 in Ubuntu 9.10 is running on My Accer box with dual core Intel CPU @1.86 GHZ, 80G HD.
>>>
>>> There is only one 10/100 NIC on my Accer box, so monitoring and
>>> management are on the same interface. Snort is monitoring only one VLAN (VLAN1) at moment.
>>>
>>> Now I would like to use Snort to monitor multiple VLANs, e.g. VLAN 1, VLAN 20 etc, so I converted my Accer-Ubuntu-Snort box into a VM in our ESX4.0 environment, I created two additional NICs on the VM, now there are three NICs;:NIC1 is for management on VLAN1, NIC2 is for monitoring on VLAN1, and NIC3 is for monitoring on VLAN20.
>>>
>>> After lots of “Google”, I have found the following post from Barry (in 2005) is really relevant to my case:
>>>
>>> http://seclists.org/snort/2005/q2/60
>>>
>>>
>>> I have got the idea, but it’s still hard for me to follow the actual “HOW TO” steps. I don’t expect anyone to do “baby-sitter” on Snort, despite Barry did a very good “case study”, but I would like to have some extra info regarding the files, locations, what, how etc (just like the first url link above from Bil) for the Snort dummy like me.
>>>
>>> I would like to have the followings:
>>> 1.) How to setup the management interface separately from the monitoring interface?
>>> 2.) How to setup two instances of Snort and Barnyard to monitor two VLANs on one VM?
>>>
>>> * Network ports (for ESX 4.0 machines) on switch are configured in the followings:
>>>
>>> hybrid link type
>>> with VLAN 1, VLAN 20 tagged, and
>>> the hybrid PVID is VLAN20.
>>>
>>> Any information and help would be much appreciated.
>>>
>>> Many thanks in advance.
>>>
>>> Regards
>>>
>>> John
>>>
>>> _________________________________________________________________
>>> Need a new place to live? Find it on Domain.com.au
>>> http://clk.atdmt.com/NMN/go/157631292/direct/01/
>>> ----------------------------------------------------------------------
>>> --------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> _________________________________________________________________
>> View photos of singles in your area! Looking for a hot date?
>> http://clk.atdmt.com/NMN/go/150855801/direct/01/
> _________________________________________________________________
> Need a new place to live? Find it on Domain.com.au
> http://clk.atdmt.com/NMN/go/157631292/direct/01/ 		 	   		  
_________________________________________________________________
New, Used, Demo, Dealer or Private? Find it at CarPoint.com.au
http://clk.atdmt.com/NMN/go/206222968/direct/01/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ESX_Network_After Change2.jpg
Type: image/pjpeg
Size: 57880 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100410/011f8299/attachment.bin>


More information about the Snort-users mailing list