[Snort-users] Virtual Machines and Hypervisors
ulric at ...13186...
Wed Jan 30 03:13:42 EST 2013
On 01/29/2013 03:36 PM, Joel Esler wrote:
> No, not really (vms sending identifying traffic), the best detection
> method is detection of multiple macs from a single IP, or multiple IPs
> from a single mac.
Every vm I have in VirtualBox on my laptop has a unique mac address and
ip address on their bridged network interfaces. The only reliable way I
can think of to detect virtual machines and hypervisors is when there
are multiple macs and/or ips in a single cable attached to what should
be a single host. That would need to happen in the switch where the
other end of said cable is connected.
An unreliable way to detect vms is to check the mac vendor id. Anything
from "Cadmus Computers" is probably VirtualBox. It's unreliable because
the mac can easily be changed.
More information about the Snort-users