[Snort-users] Virtual Machines and Hypervisors

Juan Camilo Valencia juan.valencia at ...16028...
Tue Jan 29 10:00:11 EST 2013


Hi Joel,

Great thank you, I'm going to try.

Regards,


On Tue, Jan 29, 2013 at 9:36 AM, Joel Esler <jesler at ...1935...> wrote:

> No, not really (vms sending identifying traffic), the best detection
> method is detection of multiple macs from a single IP, or multiple IPs from
> a single mac.
>
>
> On Jan 29, 2013, at 9:24 AM, Juan Camilo Valencia <
> camilo.valencia13 at ...11827...> wrote:
>
> Hi Guys,
>
> I thought that maybe the VM generate some kind of flags in the headers of
> the protocols to communicate in the network. Basically I can detect the MAC
> address and associate them with and IP address, however there are scenarios
> that the people can change the MAC address and the method that I use is not
> valid. But Thanks a lot for your fast answer,
>
> Best Regards,
>
>
> On Tue, Jan 29, 2013 at 9:06 AM, Joel Esler <jesler at ...1935...> wrote:
>
>> On Jan 29, 2013, at 7:59 AM, Juan Camilo Valencia <
>> juan.valencia at ...16028...> wrote:
>>
>> Hi Guys,
>>
>> I am trying to find a way to ban virtual machines and hypervisors in our
>> network, I made a quicly research and I didn't found anything.
>>
>> Can somebody tell me if exist a way or a method to detect that, one of my
>> ideas is when the VM is configured in NAT mode detect that kind of traffic,
>> but the problem is when the VM is configured in bridge mode.
>>
>>
>> It's a bit difficult to take care of this task via Snort as it involves
>> tracking host vs. mac address vs. traffic.  Snort doesn't help inherently
>> with this.
>>
>> Sourcefire makes another product that does this (it's not open source) in
>> our commercial products.
>>
>> --
>> *Joel Esler*
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>>
>>
>
>
> --
> JUAN CAMILO VALENCIA VARGAS
> Ingeniero de Operaciones
> SeguraTec S.A.S
> Calle 11 # 43B-50 of 307
> Medelllín Colombia
>
> *“Choose a job you love, and you will never have to work a day in your
> life”*
>
>
>


-- 
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
SeguraTec S.A.S
Calle 11 # 43B-50 of 307
Medelllín Colombia

*“Choose a job you love, and you will never have to work a day in your life”
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130129/2cd2ae1a/attachment.html>


More information about the Snort-users mailing list