[Snort-users] Detecting Guest to Guest Traffic

Jonathan Streetman jstreetm at ...11827...
Mon Jun 5 11:05:53 EDT 2017


Not sure if this is a simple question but I was hoping for some insight
into finishing a pentest lab. My goal is to have Snort sniff an attack in a
virtual environment between two guest VM's. My current setup running on
virtualbox:

1. Windows 10 running Snort (host)
2. Kali as attacker (guest)
3. Unpatched Windows XP as target (guest)

The two guest machines are networked as host-only. Within each machine I
can ping host-guest and guest-guest.Pinging host-guest and running a test
ICMP alert [alert icmp any any -> any any (msg:"Testing ICMP";
sid:1000001;)] shows only the return echo packets. Pinging guest-guest does
not show any traffic.

My Snort startup is:
C:\Snort\bin>snort -i 6 -c c:\snort\etc\snort.conf -A console
where 6 is the virtualBox interaface

Keeping the same configuration but changing the interface to the host NIC
and pinging the web from the host, Snort will display the ICMP request and
replies.

Any insight into how I can have Snort monitor the traffic between the two
guest while running on the host?

Thanks!



More information about the Snort-users mailing list