[Snort-users] Snort VM monitoring other VMs (virtual environment)

Crusty Saint saintcrusty at ...11827...
Tue Apr 12 10:29:39 EDT 2011


Would this not require some sort of vlan set-up ?

http://open.eucalyptus.com/wiki/EucalyptusNetworkConfiguration_v2.0documents
there are multiple network modes available. If at all applicable a
span-port would do the magic you're looking for.



2011/4/12 turki <turki_00 at ...131...>

> Hi Mike,
>
> Unfortinatly, I am not using VMware products.
>
> I am using Eucalyptus cloud
> http://open.eucalyptus.com/
>
>
>
> --- On *Mon, 4/11/11, Mike Lococo <mikelococo at ...11827...>* wrote:
>
>
> From: Mike Lococo <mikelococo at ...11827...>
>
> Subject: Re: [Snort-users] Snort VM monitoring other VMs (virtual
> environment)
> To: snort-users at lists.sourceforge.net
> Received: Monday, April 11, 2011, 11:19 PM
>
>
> > I am running Snort 2.9 on a virtual machine with 1 NIC (eth0) and I
> > manage to detect and log alerts generated from it. (I will call it
> > Snort-VM)
> >
> > My question, if I run another virtual machine (I will call it
> > App-VM)within the same network of the Snort-VM (same subnet mask).
> > Will I be able to configure Snort-VM to pick up traffic generated
> > from App-VM?
> >
> > So in general, Is it even possible to let Snort log traffic for other
> > virtual machines?
>
> It is possible.  There are two general paths:
>
> 1) Configure your vswitch to ship the traffic to your sniffer-vm.  It
> won't do this by default, but it can be done.
> 2) Use a virtual-appliance of some kind that supports sniffing.  Solera
> has something, I think, and there are some other security-specific
> appliances that hook into VMWare on a fairly low level to monitor
> clients in special ways (Anti-Virus VM's that do memory inspection of
> all clients on a host, for example).
>
> Check out this link, which has a decent overview of sniffing on ESX:
> http://vmetc.com/2009/03/12/virtual-machine-sniffer-on-esx-hosts/
>
> Cheers,
> Mike Lococo
>
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<http://mc/compose?to=Snort-users@lists.sourceforge.net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110412/359348fc/attachment.html>


More information about the Snort-users mailing list