[Snort-users] Virtual Machines and Hypervisors

Joel Esler jesler at ...1935...
Tue Jan 29 09:06:54 EST 2013

On Jan 29, 2013, at 7:59 AM, Juan Camilo Valencia <juan.valencia at ...16058....> wrote:

> Hi Guys,
> I am trying to find a way to ban virtual machines and hypervisors in our network, I made a quicly research and I didn't found anything.
> Can somebody tell me if exist a way or a method to detect that, one of my ideas is when the VM is configured in NAT mode detect that kind of traffic, but the problem is when the VM is configured in bridge mode.

It's a bit difficult to take care of this task via Snort as it involves tracking host vs. mac address vs. traffic.  Snort doesn't help inherently with this.

Sourcefire makes another product that does this (it's not open source) in our commercial products.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130129/275f8e2f/attachment.html>

More information about the Snort-users mailing list