[Snort-users] Snort VM monitoring other VMs (virtual environment)
mikelococo at ...11827...
Mon Apr 11 15:19:16 EDT 2011
> I am running Snort 2.9 on a virtual machine with 1 NIC (eth0) and I
> manage to detect and log alerts generated from it. (I will call it
> My question, if I run another virtual machine (I will call it
> App-VM)within the same network of the Snort-VM (same subnet mask).
> Will I be able to configure Snort-VM to pick up traffic generated
> from App-VM?
> So in general, Is it even possible to let Snort log traffic for other
> virtual machines?
It is possible. There are two general paths:
1) Configure your vswitch to ship the traffic to your sniffer-vm. It
won't do this by default, but it can be done.
2) Use a virtual-appliance of some kind that supports sniffing. Solera
has something, I think, and there are some other security-specific
appliances that hook into VMWare on a fairly low level to monitor
clients in special ways (Anti-Virus VM's that do memory inspection of
all clients on a host, for example).
Check out this link, which has a decent overview of sniffing on ESX:
More information about the Snort-users