[Snort-users] Virtual Machines and Hypervisors

Juan Camilo Valencia camilo.valencia13 at ...11827...
Tue Jan 29 09:24:08 EST 2013

Hi Guys,

I thought that maybe the VM generate some kind of flags in the headers of
the protocols to communicate in the network. Basically I can detect the MAC
address and associate them with and IP address, however there are scenarios
that the people can change the MAC address and the method that I use is not
valid. But Thanks a lot for your fast answer,

Best Regards,

On Tue, Jan 29, 2013 at 9:06 AM, Joel Esler <jesler at ...1935...> wrote:

> On Jan 29, 2013, at 7:59 AM, Juan Camilo Valencia <
> juan.valencia at ...16028...> wrote:
> Hi Guys,
> I am trying to find a way to ban virtual machines and hypervisors in our
> network, I made a quicly research and I didn't found anything.
> Can somebody tell me if exist a way or a method to detect that, one of my
> ideas is when the VM is configured in NAT mode detect that kind of traffic,
> but the problem is when the VM is configured in bridge mode.
> It's a bit difficult to take care of this task via Snort as it involves
> tracking host vs. mac address vs. traffic.  Snort doesn't help inherently
> with this.
> Sourcefire makes another product that does this (it's not open source) in
> our commercial products.
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

Ingeniero de Operaciones
SeguraTec S.A.S
Calle 11 # 43B-50 of 307
Medelllín Colombia

*“Choose a job you love, and you will never have to work a day in your life”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130129/9f227b26/attachment.html>

More information about the Snort-users mailing list