[Snort-users] Virtual Machines and Hypervisors

Joel Esler jesler at ...1935...
Tue Jan 29 09:36:28 EST 2013


No, not really (vms sending identifying traffic), the best detection method is detection of multiple macs from a single IP, or multiple IPs from a single mac.


On Jan 29, 2013, at 9:24 AM, Juan Camilo Valencia <camilo.valencia13 at ...14540...27...> wrote:

> Hi Guys,
> 
> I thought that maybe the VM generate some kind of flags in the headers of the protocols to communicate in the network. Basically I can detect the MAC address and associate them with and IP address, however there are scenarios that the people can change the MAC address and the method that I use is not valid. But Thanks a lot for your fast answer,
> 
> Best Regards,   
> 
> 
> On Tue, Jan 29, 2013 at 9:06 AM, Joel Esler <jesler at ...1935...> wrote:
> On Jan 29, 2013, at 7:59 AM, Juan Camilo Valencia <juan.valencia at ...16059......> wrote:
> 
>> Hi Guys,
>> 
>> I am trying to find a way to ban virtual machines and hypervisors in our network, I made a quicly research and I didn't found anything.
>> 
>> Can somebody tell me if exist a way or a method to detect that, one of my ideas is when the VM is configured in NAT mode detect that kind of traffic, but the problem is when the VM is configured in bridge mode.
> 
> It's a bit difficult to take care of this task via Snort as it involves tracking host vs. mac address vs. traffic.  Snort doesn't help inherently with this.
> 
> Sourcefire makes another product that does this (it's not open source) in our commercial products.
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> 
> 
> 
> -- 
> JUAN CAMILO VALENCIA VARGAS
> Ingeniero de Operaciones
> SeguraTec S.A.S 
> Calle 11 # 43B-50 of 307
> Medelllín Colombia
> 
> “Choose a job you love, and you will never have to work a day in your life”

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130129/a83caf58/attachment.html>


More information about the Snort-users mailing list