Re: snort sensor on virtual machine...[?]

[Paul Marin <pmarinh45 () gmail com>]

Hi,

I am not completely sure, but I believe you cannot set up a virtual nic
for capturing packets from a SPAN/mirror port since you don't have
direct physical access to the port. This is something i tried to
accomplish in VMware ESXi and i couldn't. I don't know if others
virtualization software can do that. (Someone please correct me if I'm
wrong).

So, this is something to take in count when running snort in a vm.

By other hand, snort tends to consume a lot of CPU resources. So, maybe
it's better to dedicate a whole server to snort instead of sharing it
with others apps.

However, if you are planning to run add-on tools like sguil or snortsam,
the sguil-server and the snortsam-agent components can surely be run in
virtual enviroments.

Kindly,

Paul


El 11/04/2012 10:52 a.m., Corbin Fletcher escribió:
> Greetings Snort community,
>
> I am a member of a small team who operates a data center. Our company 
> provides VoIP services for corporations. We utilize primarily open 
> source application. We run Debian and CentOS, FreeSwitch, OpenSIP, MySQL 
> Elastix, FreePBX, Proxmox, etc.
>
> We receive a good number of SIP brute force attacks, and other security 
> breaches on our network. And this is the reason for my email.
>
> As a team we have agreed to implement a Snort sensor as a NIDS. We are 
> currently not running any IDS and we rely on analyzing logs to be 
> alerted to our network attacks.
>
> I would like to install a Snort sensor at the edge of our network on its 
> own dedicate machine and have it sniff all network traffic.
>
> Another team member wants to run Snort on a Proxmox cluster in a virtual 
> environment.
>
> Can anyone advise about the pros and cons for each approach?
>
> Or, could someone please advise on best practices for implementing a 
> Snort sensor on our network?
>
> Thanks in advance.
>
> ~Corbin
>
>
> ------------------------------------------------------------------------------
> Better than sec? Nothing is better than sec when it comes to
> monitoring Big Data applications. Try Boundary one-second 
> resolution app monitoring today. Free.
> http://p.sf.net/sfu/Boundary-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!