[Snort-users] Snort VM monitoring other VMs (virtual environment)

Mike Lococo mikelococo at ...11827...
Mon Apr 11 15:19:16 EDT 2011


> I am running Snort 2.9 on a virtual machine with 1 NIC (eth0) and I
> manage to detect and log alerts generated from it. (I will call it
> Snort-VM)
> 
> My question, if I run another virtual machine (I will call it
> App-VM)within the same network of the Snort-VM (same subnet mask).
> Will I be able to configure Snort-VM to pick up traffic generated
> from App-VM?
> 
> So in general, Is it even possible to let Snort log traffic for other
> virtual machines?

It is possible.  There are two general paths:

1) Configure your vswitch to ship the traffic to your sniffer-vm.  It
won't do this by default, but it can be done.
2) Use a virtual-appliance of some kind that supports sniffing.  Solera
has something, I think, and there are some other security-specific
appliances that hook into VMWare on a fairly low level to monitor
clients in special ways (Anti-Virus VM's that do memory inspection of
all clients on a host, for example).

Check out this link, which has a decent overview of sniffing on ESX:
http://vmetc.com/2009/03/12/virtual-machine-sniffer-on-esx-hosts/

Cheers,
Mike Lococo




More information about the Snort-users mailing list