Re: Virtual Machines and Hypervisors

[Ulric Eriksson <ulric () siag nu>]

On 01/29/2013 03:36 PM, Joel Esler wrote:
> No, not really (vms sending identifying traffic), the best detection 
> method is detection of multiple macs from a single IP, or multiple IPs 
> from a single mac.

Every vm I have in VirtualBox on my laptop has a unique mac address and 
ip address on their bridged network interfaces. The only reliable way I 
can think of to detect virtual machines and hypervisors is when there 
are multiple macs and/or ips in a single cable attached to what should 
be a single host. That would need to happen in the switch where the 
other end of said cable is connected.

An unreliable way to detect vms is to check the mac vendor id. Anything 
from "Cadmus Computers" is probably VirtualBox. It's unreliable because 
the mac can easily be changed.

Ulric

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!