[Snort-users] Virtual Machines and Hypervisors
Juan Camilo Valencia
camilo.valencia13 at ...11827...
Tue Jan 29 09:24:08 EST 2013
I thought that maybe the VM generate some kind of flags in the headers of
the protocols to communicate in the network. Basically I can detect the MAC
address and associate them with and IP address, however there are scenarios
that the people can change the MAC address and the method that I use is not
valid. But Thanks a lot for your fast answer,
On Tue, Jan 29, 2013 at 9:06 AM, Joel Esler <jesler at ...1935...> wrote:
> On Jan 29, 2013, at 7:59 AM, Juan Camilo Valencia <
> juan.valencia at ...16028...> wrote:
> Hi Guys,
> I am trying to find a way to ban virtual machines and hypervisors in our
> network, I made a quicly research and I didn't found anything.
> Can somebody tell me if exist a way or a method to detect that, one of my
> ideas is when the VM is configured in NAT mode detect that kind of traffic,
> but the problem is when the VM is configured in bridge mode.
> It's a bit difficult to take care of this task via Snort as it involves
> tracking host vs. mac address vs. traffic. Snort doesn't help inherently
> with this.
> Sourcefire makes another product that does this (it's not open source) in
> our commercial products.
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
Calle 11 # 43B-50 of 307
*“Choose a job you love, and you will never have to work a day in your life”
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users