[Snort-users] Virtual Machines and Hypervisors

Juan Camilo Valencia camilo.valencia13 at ...11827...
Tue Jan 29 17:23:35 EST 2013


Hi Guys,

I reviewed your answers and I found very useful information. I will keep
researching in how to get this done. However I want to share with you a
more broad scenario about the reasons behind to try to do this think.

We have installed a NAC, (Packetefence), system inside the network, the
switches under control are configured in port-security mode and I can
control when the VM is running based on the MAC address, and I can either
put the machine in and isolation VLAN, or just kick-out  the machine and by
effect kick-out the host machine. However there are certain users that know
about this thing and they try to bypass this rule changing the MAC address.
The problem here is that we use and agentless NAC, and we can't have for
example the procedures running inside the machines to identify if is
virtual or physical machine. I was looking for techniques that Mikael
suggest in the link that he  put and try to control this topic through a
rule in SNORT, or begin thinking in integrate another tool that provide
help with that.

I appreciate too much the info that you provided me, and I am very glad
with the suggestions once again. I will look up for the better solution.

Best regards


On Tue, Jan 29, 2013 at 2:22 PM, Joel Esler <jesler at ...1935...> wrote:

> Firesight is what we call it now.  RNA+ other things.
>
> But it would require no filters or rules. It would do this on its own.
>
> That being said, this isn't a Sourcefire product email list its a Snort
> list.  So I apologize or anyone thinking I've dragged this on too far.
>
>
>
> --
> *Joel Esler*
> Sent from my iPhone 
>
> On Jan 29, 2013, at 2:18 PM, mikael keri <info at ...16060...> wrote:
>
> Joel,
>
> Depends what you mean by naturally, it's been a couple of years since I
> used RNA.. to long one might say =) But I guess that you mean that RNA
> might apply filters/rules to detect that kind of traffic pattern.
>
> If so I guess you are right, p0f and other passive detection solutions
> like pads (whose output will contain MAC address btw) will give you logs
> that you will have to apply your own filter to.
>
> I remember looking at using passive detection for a way to detect VM
> hosts a couple of years back and found this one:
>
>
> http://www.chrisbrenton.org/2009/09/passively-fingerprinting-vmware-virtual-systems/
> (might still be valid)
>
> Also passive detection is best done close to the target(s), which in a
> big campus might be hard to do.
>
> Shawn’s answer is very good one and very usable in a none BOYD
> environment, if you can't control the clients, enabling port-security in
> the switch might be one other way forward.
>
> But to get back to topic the following rules might give you something ,
> but Virtualbox, which also has a update feature is not covered (might be
> a rule to write..)
>
> 1:2013749 (ET)
>
> Regards
> Mikael
>
>
> On 2013-01-29 16:53, Joel Esler wrote:
>
> I haven't worked with p0f in several years, but I don't think p0f would
>
> do it naturally.  You'd have to have p0f identify the different OSes
>
> being detected on one IP with multiple macs, or vice versa.
>
>
> p0f doesn't do that.
>
>
> --
>
> *Joel Esler*
>
> Senior Research Engineer, VRT
>
> OpenSource Community Manager
>
> Sourcefire
>
>
> On Jan 29, 2013, at 9:26 AM, Mikael Keri <info at ...16060...
>
> <mailto:info at ...16060... <info at ...16060...>>> wrote:
>
>
> Forgotten to cc the list. See below.
>
> But to follow up if you can't go the SF way with RNA there is always
>
> p0f. But I still think that my original  answer would be a way forward
>
> for you.
>
>
> Regards
>
> Mikael
>
>
> ---------- Vidarebefordrat meddelande ----------
>
> Från: "Mikael Keri" <info at ...16060... <mailto:info at ...16060...<info at ...16060...>
> >>
>
> Datum: 29 jan 2013 15:05
>
> Ämne: Re: [Snort-users] Virtual Machines and Hypervisors
>
> Till: "Juan Camilo Valencia" <juan.valencia at ...16028...
>
> <mailto:juan.valencia at ...16028... <juan.valencia at ...16028...>>>
>
>
> Nmap? Also look in switch logs / dhcp logs for mac address that does
>
> not belong to your standard hardware platform.
>
>
> This might be a better option then use Snort for the detection. That
>
> said there are rules to detects Vmware software update requests
>
>
> Regards
>
> Mikael
>
>
> Den 29 jan 2013 14:33 skrev "Juan Camilo Valencia"
>
> <juan.valencia at ...16028... <mailto:juan.valencia at ...16028...<juan.valencia at ...16028...>
> >>:
>
>
>    Hi Guys,
>
>
>    I am trying to find a way to ban virtual machines and hypervisors
>
>    in our network, I made a quicly research and I didn't found anything.
>
>
>    Can somebody tell me if exist a way or a method to detect that,
>
>    one of my ideas is when the VM is configured in NAT mode detect
>
>    that kind of traffic, but the problem is when the VM is configured
>
>    in bridge mode.
>
>
>    Thanks for your advance,
>
>
>    Regards
>
>
>    --
>
>    JUAN CAMILO VALENCIA VARGAS
>
>    Ingeniero de Operaciones
>
>    SeguraTec S.A.S
>
>    Calle 11 # 43B-50 of 307
>
>    Medelllín Colombia
>
>
>    *“Choose a job you love, and you will never have to work a day in
>
>    your life”*
>
>
>
>    ------------------------------------------------------------------------------
>
>    Master Visual Studio, SharePoint, SQL, ASP.NET <http://asp.net/>,
>
>    C# 2012, HTML5, CSS,
>
>    MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
>
>    current
>
>    with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>
>    MVPs and experts. ON SALE this month only -- learn more at:
>
>    http://p.sf.net/sfu/learnnow-d2d
>
>    _______________________________________________
>
>    Snort-users mailing list
>
>    Snort-users at lists.sourceforge.net
>
>    <mailto:Snort-users at lists.sourceforge.net<Snort-users at ...2652...e.net>
> >
>
>    Go to this URL to change user options or unsubscribe:
>
>    https://lists.sourceforge.net/lists/listinfo/snort-users
>
>    Snort-users list archive:
>
>    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>
>    Please visit http://blog.snort.org <http://blog.snort.org/> to
>
>    stay current on all the latest Snort news!
>
>
>
> ------------------------------------------------------------------------------
>
> Master Visual Studio, SharePoint, SQL, ASP.NET <http://ASP.NET>, C#
>
> 2012, HTML5, CSS,
>
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>
> MVPs and experts. ON SALE this month only -- learn more at:
>
>
> http://p.sf.net/sfu/learnnow-d2d_______________________________________________
>
> Snort-users mailing list
>
> Snort-users at lists.sourceforge.net
>
> Go to this URL to change user options or unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive:
>
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>
> Please visit http://blog.snort.org to stay current on all the latest
>
> Snort news!
>
>
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
SeguraTec S.A.S
Calle 11 # 43B-50 of 307
Medelllín Colombia

*“Choose a job you love, and you will never have to work a day in your life”
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130129/462f8d5d/attachment.html>


More information about the Snort-users mailing list