[Snort-users] Virtual Machines and Hypervisors

Joel Esler jesler at ...1935...
Tue Jan 29 14:22:28 EST 2013


Firesight is what we call it now.  RNA+ other things. 

But it would require no filters or rules. It would do this on its own. 

That being said, this isn't a Sourcefire product email list its a Snort list.  So I apologize or anyone thinking I've dragged this on too far.  



--
Joel Esler
Sent from my iPhone 

On Jan 29, 2013, at 2:18 PM, mikael keri <info at ...16060...> wrote:

> Joel,
> 
> Depends what you mean by naturally, it's been a couple of years since I
> used RNA.. to long one might say =) But I guess that you mean that RNA
> might apply filters/rules to detect that kind of traffic pattern.
> 
> If so I guess you are right, p0f and other passive detection solutions
> like pads (whose output will contain MAC address btw) will give you logs
> that you will have to apply your own filter to.
> 
> I remember looking at using passive detection for a way to detect VM
> hosts a couple of years back and found this one:
> 
> http://www.chrisbrenton.org/2009/09/passively-fingerprinting-vmware-virtual-systems/
> (might still be valid)
> 
> Also passive detection is best done close to the target(s), which in a
> big campus might be hard to do.
> 
> Shawn’s answer is very good one and very usable in a none BOYD
> environment, if you can't control the clients, enabling port-security in
> the switch might be one other way forward.
> 
> But to get back to topic the following rules might give you something ,
> but Virtualbox, which also has a update feature is not covered (might be
> a rule to write..)
> 
> 1:2013749 (ET)
> 
> Regards
> Mikael
> 
> 
> On 2013-01-29 16:53, Joel Esler wrote:
>> I haven't worked with p0f in several years, but I don't think p0f would
>> do it naturally.  You'd have to have p0f identify the different OSes
>> being detected on one IP with multiple macs, or vice versa.  
>> 
>> p0f doesn't do that.
>> 
>> --
>> *Joel Esler*
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>> 
>> On Jan 29, 2013, at 9:26 AM, Mikael Keri <info at ...16060...
>> <mailto:info at ...16060...>> wrote:
>> 
>>> Forgotten to cc the list. See below.
>>> But to follow up if you can't go the SF way with RNA there is always
>>> p0f. But I still think that my original  answer would be a way forward
>>> for you.
>>> 
>>> Regards
>>> Mikael
>>> 
>>> ---------- Vidarebefordrat meddelande ----------
>>> Från: "Mikael Keri" <info at ...16060... <mailto:info at ...16060...>>
>>> Datum: 29 jan 2013 15:05
>>> Ämne: Re: [Snort-users] Virtual Machines and Hypervisors
>>> Till: "Juan Camilo Valencia" <juan.valencia at ...16028...
>>> <mailto:juan.valencia at ...16028...>>
>>> 
>>> Nmap? Also look in switch logs / dhcp logs for mac address that does
>>> not belong to your standard hardware platform.
>>> 
>>> This might be a better option then use Snort for the detection. That
>>> said there are rules to detects Vmware software update requests
>>> 
>>> Regards
>>> Mikael
>>> 
>>> Den 29 jan 2013 14:33 skrev "Juan Camilo Valencia"
>>> <juan.valencia at ...16028... <mailto:juan.valencia at ...16028...>>:
>>> 
>>>    Hi Guys,
>>> 
>>>    I am trying to find a way to ban virtual machines and hypervisors
>>>    in our network, I made a quicly research and I didn't found anything.
>>> 
>>>    Can somebody tell me if exist a way or a method to detect that,
>>>    one of my ideas is when the VM is configured in NAT mode detect
>>>    that kind of traffic, but the problem is when the VM is configured
>>>    in bridge mode.
>>> 
>>>    Thanks for your advance,
>>> 
>>>    Regards
>>> 
>>>    -- 
>>>    JUAN CAMILO VALENCIA VARGAS
>>>    Ingeniero de Operaciones
>>>    SeguraTec S.A.S 
>>>    Calle 11 # 43B-50 of 307
>>>    Medelllín Colombia
>>> 
>>>    *“Choose a job you love, and you will never have to work a day in
>>>    your life”*
>>> 
>>>    ------------------------------------------------------------------------------
>>>    Master Visual Studio, SharePoint, SQL, ASP.NET <http://asp.net/>,
>>>    C# 2012, HTML5, CSS,
>>>    MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
>>>    current
>>>    with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>>>    MVPs and experts. ON SALE this month only -- learn more at:
>>>    http://p.sf.net/sfu/learnnow-d2d
>>>    _______________________________________________
>>>    Snort-users mailing list
>>>    Snort-users at lists.sourceforge.net
>>>    <mailto:Snort-users at lists.sourceforge.net>
>>>    Go to this URL to change user options or unsubscribe:
>>>    https://lists.sourceforge.net/lists/listinfo/snort-users
>>>    Snort-users list archive:
>>>    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>>    Please visit http://blog.snort.org <http://blog.snort.org/> to
>>>    stay current on all the latest Snort news!
>>> 
>>> ------------------------------------------------------------------------------
>>> Master Visual Studio, SharePoint, SQL, ASP.NET <http://ASP.NET>, C#
>>> 2012, HTML5, CSS,
>>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>>> MVPs and experts. ON SALE this month only -- learn more at:
>>> http://p.sf.net/sfu/learnnow-d2d_______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130129/15d39b70/attachment.html>


More information about the Snort-users mailing list