[Snort-users] Virtual Machines and Hypervisors

mikael keri info at ...16060...
Tue Jan 29 14:18:53 EST 2013


Joel,

Depends what you mean by naturally, it's been a couple of years since I
used RNA.. to long one might say =) But I guess that you mean that RNA
might apply filters/rules to detect that kind of traffic pattern.

If so I guess you are right, p0f and other passive detection solutions
like pads (whose output will contain MAC address btw) will give you logs
that you will have to apply your own filter to.

I remember looking at using passive detection for a way to detect VM
hosts a couple of years back and found this one:

http://www.chrisbrenton.org/2009/09/passively-fingerprinting-vmware-virtual-systems/
(might still be valid)

Also passive detection is best done close to the target(s), which in a
big campus might be hard to do.

Shawn’s answer is very good one and very usable in a none BOYD
environment, if you can't control the clients, enabling port-security in
the switch might be one other way forward.

But to get back to topic the following rules might give you something ,
but Virtualbox, which also has a update feature is not covered (might be
a rule to write..)

1:2013749 (ET)

Regards
Mikael


On 2013-01-29 16:53, Joel Esler wrote:
> I haven't worked with p0f in several years, but I don't think p0f would
> do it naturally.  You'd have to have p0f identify the different OSes
> being detected on one IP with multiple macs, or vice versa.  
> 
> p0f doesn't do that.
> 
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> On Jan 29, 2013, at 9:26 AM, Mikael Keri <info at ...16060...
> <mailto:info at ...16060...>> wrote:
> 
>> Forgotten to cc the list. See below.
>> But to follow up if you can't go the SF way with RNA there is always
>> p0f. But I still think that my original  answer would be a way forward
>> for you.
>>
>> Regards
>> Mikael
>>
>> ---------- Vidarebefordrat meddelande ----------
>> Från: "Mikael Keri" <info at ...16060... <mailto:info at ...16060...>>
>> Datum: 29 jan 2013 15:05
>> Ämne: Re: [Snort-users] Virtual Machines and Hypervisors
>> Till: "Juan Camilo Valencia" <juan.valencia at ...16028...
>> <mailto:juan.valencia at ...16028...>>
>>
>> Nmap? Also look in switch logs / dhcp logs for mac address that does
>> not belong to your standard hardware platform.
>>
>> This might be a better option then use Snort for the detection. That
>> said there are rules to detects Vmware software update requests
>>
>> Regards
>> Mikael
>>
>> Den 29 jan 2013 14:33 skrev "Juan Camilo Valencia"
>> <juan.valencia at ...16028... <mailto:juan.valencia at ...16028...>>:
>>
>>     Hi Guys,
>>
>>     I am trying to find a way to ban virtual machines and hypervisors
>>     in our network, I made a quicly research and I didn't found anything.
>>
>>     Can somebody tell me if exist a way or a method to detect that,
>>     one of my ideas is when the VM is configured in NAT mode detect
>>     that kind of traffic, but the problem is when the VM is configured
>>     in bridge mode.
>>
>>     Thanks for your advance,
>>
>>     Regards
>>
>>     -- 
>>     JUAN CAMILO VALENCIA VARGAS
>>     Ingeniero de Operaciones
>>     SeguraTec S.A.S 
>>     Calle 11 # 43B-50 of 307
>>     Medelllín Colombia
>>
>>     *“Choose a job you love, and you will never have to work a day in
>>     your life”*
>>
>>     ------------------------------------------------------------------------------
>>     Master Visual Studio, SharePoint, SQL, ASP.NET <http://asp.net/>,
>>     C# 2012, HTML5, CSS,
>>     MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
>>     current
>>     with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>>     MVPs and experts. ON SALE this month only -- learn more at:
>>     http://p.sf.net/sfu/learnnow-d2d
>>     _______________________________________________
>>     Snort-users mailing list
>>     Snort-users at lists.sourceforge.net
>>     <mailto:Snort-users at lists.sourceforge.net>
>>     Go to this URL to change user options or unsubscribe:
>>     https://lists.sourceforge.net/lists/listinfo/snort-users
>>     Snort-users list archive:
>>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>>     Please visit http://blog.snort.org <http://blog.snort.org/> to
>>     stay current on all the latest Snort news!
>>
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET <http://ASP.NET>, C#
>> 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. ON SALE this month only -- learn more at:
>> http://p.sf.net/sfu/learnnow-d2d_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
> 





More information about the Snort-users mailing list