Snort mailing list archives
Re: Snort VM monitoring other VMs (virtual environment)
From: Crusty Saint <saintcrusty () gmail com>
Date: Tue, 12 Apr 2011 16:29:39 +0200
Would this not require some sort of vlan set-up ? http://open.eucalyptus.com/wiki/EucalyptusNetworkConfiguration_v2.0documents there are multiple network modes available. If at all applicable a span-port would do the magic you're looking for. 2011/4/12 turki <turki_00 () yahoo com>
Hi Mike, Unfortinatly, I am not using VMware products. I am using Eucalyptus cloud http://open.eucalyptus.com/ --- On *Mon, 4/11/11, Mike Lococo <mikelococo () gmail com>* wrote: From: Mike Lococo <mikelococo () gmail com> Subject: Re: [Snort-users] Snort VM monitoring other VMs (virtual environment) To: snort-users () lists sourceforge net Received: Monday, April 11, 2011, 11:19 PMI am running Snort 2.9 on a virtual machine with 1 NIC (eth0) and I manage to detect and log alerts generated from it. (I will call it Snort-VM) My question, if I run another virtual machine (I will call it App-VM)within the same network of the Snort-VM (same subnet mask). Will I be able to configure Snort-VM to pick up traffic generated from App-VM? So in general, Is it even possible to let Snort log traffic for other virtual machines?It is possible. There are two general paths: 1) Configure your vswitch to ship the traffic to your sniffer-vm. It won't do this by default, but it can be done. 2) Use a virtual-appliance of some kind that supports sniffing. Solera has something, I think, and there are some other security-specific appliances that hook into VMWare on a fairly low level to monitor clients in special ways (Anti-Virus VM's that do memory inspection of all clients on a host, for example). Check out this link, which has a decent overview of sniffing on ESX: http://vmetc.com/2009/03/12/virtual-machine-sniffer-on-esx-hosts/ Cheers, Mike Lococo ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<http://mc/compose?to=Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- - - - Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list
------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort VM monitoring other VMs (virtual environment) turki (Apr 11)
- Re: Snort VM monitoring other VMs (virtual environment) Jason Wallace (Apr 11)
- Re: Snort VM monitoring other VMs (virtual environment) turki (Apr 11)
- Re: Snort VM monitoring other VMs (virtual environment) Mike Lococo (Apr 11)
- Re: Snort VM monitoring other VMs (virtual environment) turki (Apr 12)
- Re: Snort VM monitoring other VMs (virtual environment) Crusty Saint (Apr 12)
- Re: Snort VM monitoring other VMs (virtual environment) turki (Apr 13)
- Re: Snort VM monitoring other VMs (virtual environment) turki (Apr 12)
- Re: Snort VM monitoring other VMs (virtual environment) Jason Wallace (Apr 11)