Re: Virtual Machines and Hypervisors

[Joel Esler <jesler () sourcefire com>]

Firesight is what we call it now.  RNA+ other things. 

But it would require no filters or rules. It would do this on its own. 

That being said, this isn't a Sourcefire product email list its a Snort list.  So I apologize or anyone thinking I've 
dragged this on too far.  



--
Joel Esler
Sent from my iPhone 

On Jan 29, 2013, at 2:18 PM, mikael keri <info () prowling nu> wrote:

> Joel,
>
> Depends what you mean by naturally, it's been a couple of years since I
> used RNA.. to long one might say =) But I guess that you mean that RNA
> might apply filters/rules to detect that kind of traffic pattern.
>
> If so I guess you are right, p0f and other passive detection solutions
> like pads (whose output will contain MAC address btw) will give you logs
> that you will have to apply your own filter to.
>
> I remember looking at using passive detection for a way to detect VM
> hosts a couple of years back and found this one:
>
> http://www.chrisbrenton.org/2009/09/passively-fingerprinting-vmware-virtual-systems/
> (might still be valid)
>
> Also passive detection is best done close to the target(s), which in a
> big campus might be hard to do.
>
> Shawn’s answer is very good one and very usable in a none BOYD
> environment, if you can't control the clients, enabling port-security in
> the switch might be one other way forward.
>
> But to get back to topic the following rules might give you something ,
> but Virtualbox, which also has a update feature is not covered (might be
> a rule to write..)
>
> 1:2013749 (ET)
>
> Regards
> Mikael
>
>
> On 2013-01-29 16:53, Joel Esler wrote:
> > I haven't worked with p0f in several years, but I don't think p0f would
> > do it naturally.  You'd have to have p0f identify the different OSes
> > being detected on one IP with multiple macs, or vice versa.  
> >
> > p0f doesn't do that.
> >
> > --
> > *Joel Esler*
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
> >
> > On Jan 29, 2013, at 9:26 AM, Mikael Keri <info () prowling nu
> > <mailto:info () prowling nu>> wrote:
> >
> > > Forgotten to cc the list. See below.
> > > But to follow up if you can't go the SF way with RNA there is always
> > > p0f. But I still think that my original  answer would be a way forward
> > > for you.
> > >
> > > Regards
> > > Mikael
> > >
> > > ---------- Vidarebefordrat meddelande ----------
> > > Från: "Mikael Keri" <info () prowling nu <mailto:info () prowling nu>>
> > > Datum: 29 jan 2013 15:05
> > > Ämne: Re: [Snort-users] Virtual Machines and Hypervisors
> > > Till: "Juan Camilo Valencia" <juan.valencia () seguratec com co
> > > <mailto:juan.valencia () seguratec com co>>
> > >
> > > Nmap? Also look in switch logs / dhcp logs for mac address that does
> > > not belong to your standard hardware platform.
> > >
> > > This might be a better option then use Snort for the detection. That
> > > said there are rules to detects Vmware software update requests
> > >
> > > Regards
> > > Mikael
> > >
> > > Den 29 jan 2013 14:33 skrev "Juan Camilo Valencia"
> > > <juan.valencia () seguratec com co <mailto:juan.valencia () seguratec com co>>:
> > >
> > >    Hi Guys,
> > >
> > >    I am trying to find a way to ban virtual machines and hypervisors
> > >    in our network, I made a quicly research and I didn't found anything.
> > >
> > >    Can somebody tell me if exist a way or a method to detect that,
> > >    one of my ideas is when the VM is configured in NAT mode detect
> > >    that kind of traffic, but the problem is when the VM is configured
> > >    in bridge mode.
> > >
> > >    Thanks for your advance,
> > >
> > >    Regards
> > >
> > >    -- 
> > >    JUAN CAMILO VALENCIA VARGAS
> > >    Ingeniero de Operaciones
> > >    SeguraTec S.A.S 
> > >    Calle 11 # 43B-50 of 307
> > >    Medelllín Colombia
> > >
> > >    *“Choose a job you love, and you will never have to work a day in
> > >    your life”*
> > >
> > >    ------------------------------------------------------------------------------
> > >    Master Visual Studio, SharePoint, SQL, ASP.NET <http://asp.net/>,
> > >    C# 2012, HTML5, CSS,
> > >    MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
> > >    current
> > >    with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> > >    MVPs and experts. ON SALE this month only -- learn more at:
> > >    http://p.sf.net/sfu/learnnow-d2d
> > >    _______________________________________________
> > >    Snort-users mailing list
> > >    Snort-users () lists sourceforge net
> > >    <mailto:Snort-users () lists sourceforge net>
> > >    Go to this URL to change user options or unsubscribe:
> > >    https://lists.sourceforge.net/lists/listinfo/snort-users
> > >    Snort-users list archive:
> > >    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > >    Please visit http://blog.snort.org <http://blog.snort.org/> to
> > >    stay current on all the latest Snort news!
> > >
> > > ------------------------------------------------------------------------------
> > > Master Visual Studio, SharePoint, SQL, ASP.NET <http://ASP.NET>, C#
> > > 2012, HTML5, CSS,
> > > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> > > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> > > MVPs and experts. ON SALE this month only -- learn more at:
> > > http://p.sf.net/sfu/learnnow-d2d_______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!