Snort mailing list archives
Re: Virtual Machines and Hypervisors
From: Juan Camilo Valencia <camilo.valencia13 () gmail com>
Date: Tue, 29 Jan 2013 17:23:35 -0500
Hi Guys, I reviewed your answers and I found very useful information. I will keep researching in how to get this done. However I want to share with you a more broad scenario about the reasons behind to try to do this think. We have installed a NAC, (Packetefence), system inside the network, the switches under control are configured in port-security mode and I can control when the VM is running based on the MAC address, and I can either put the machine in and isolation VLAN, or just kick-out the machine and by effect kick-out the host machine. However there are certain users that know about this thing and they try to bypass this rule changing the MAC address. The problem here is that we use and agentless NAC, and we can't have for example the procedures running inside the machines to identify if is virtual or physical machine. I was looking for techniques that Mikael suggest in the link that he put and try to control this topic through a rule in SNORT, or begin thinking in integrate another tool that provide help with that. I appreciate too much the info that you provided me, and I am very glad with the suggestions once again. I will look up for the better solution. Best regards On Tue, Jan 29, 2013 at 2:22 PM, Joel Esler <jesler () sourcefire com> wrote:
Firesight is what we call it now. RNA+ other things. But it would require no filters or rules. It would do this on its own. That being said, this isn't a Sourcefire product email list its a Snort list. So I apologize or anyone thinking I've dragged this on too far. -- *Joel Esler* Sent from my iPhone On Jan 29, 2013, at 2:18 PM, mikael keri <info () prowling nu> wrote: Joel, Depends what you mean by naturally, it's been a couple of years since I used RNA.. to long one might say =) But I guess that you mean that RNA might apply filters/rules to detect that kind of traffic pattern. If so I guess you are right, p0f and other passive detection solutions like pads (whose output will contain MAC address btw) will give you logs that you will have to apply your own filter to. I remember looking at using passive detection for a way to detect VM hosts a couple of years back and found this one: http://www.chrisbrenton.org/2009/09/passively-fingerprinting-vmware-virtual-systems/ (might still be valid) Also passive detection is best done close to the target(s), which in a big campus might be hard to do. Shawn’s answer is very good one and very usable in a none BOYD environment, if you can't control the clients, enabling port-security in the switch might be one other way forward. But to get back to topic the following rules might give you something , but Virtualbox, which also has a update feature is not covered (might be a rule to write..) 1:2013749 (ET) Regards Mikael On 2013-01-29 16:53, Joel Esler wrote: I haven't worked with p0f in several years, but I don't think p0f would do it naturally. You'd have to have p0f identify the different OSes being detected on one IP with multiple macs, or vice versa. p0f doesn't do that. -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jan 29, 2013, at 9:26 AM, Mikael Keri <info () prowling nu <mailto:info () prowling nu <info () prowling nu>>> wrote: Forgotten to cc the list. See below. But to follow up if you can't go the SF way with RNA there is always p0f. But I still think that my original answer would be a way forward for you. Regards Mikael ---------- Vidarebefordrat meddelande ---------- Från: "Mikael Keri" <info () prowling nu <mailto:info () prowling nu<info () prowling nu>Datum: 29 jan 2013 15:05 Ämne: Re: [Snort-users] Virtual Machines and Hypervisors Till: "Juan Camilo Valencia" <juan.valencia () seguratec com co <mailto:juan.valencia () seguratec com co <juan.valencia () seguratec com co>>> Nmap? Also look in switch logs / dhcp logs for mac address that does not belong to your standard hardware platform. This might be a better option then use Snort for the detection. That said there are rules to detects Vmware software update requests Regards Mikael Den 29 jan 2013 14:33 skrev "Juan Camilo Valencia" <juan.valencia () seguratec com co <mailto:juan.valencia () seguratec com co<juan.valencia () seguratec com co>:Hi Guys, I am trying to find a way to ban virtual machines and hypervisors in our network, I made a quicly research and I didn't found anything. Can somebody tell me if exist a way or a method to detect that, one of my ideas is when the VM is configured in NAT mode detect that kind of traffic, but the problem is when the VM is configured in bridge mode. Thanks for your advance, Regards -- JUAN CAMILO VALENCIA VARGAS Ingeniero de Operaciones SeguraTec S.A.S Calle 11 # 43B-50 of 307 Medelllín Colombia *“Choose a job you love, and you will never have to work a day in your life”* ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET <http://asp.net/>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net<Snort-users () lists sourceforge net>Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET <http://ASP.NET>, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- JUAN CAMILO VALENCIA VARGAS Ingeniero de Operaciones SeguraTec S.A.S Calle 11 # 43B-50 of 307 Medelllín Colombia *“Choose a job you love, and you will never have to work a day in your life” *
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Virtual Machines and Hypervisors Juan Camilo Valencia (Jan 29)
- Re: Virtual Machines and Hypervisors Joel Esler (Jan 29)
- Re: Virtual Machines and Hypervisors Juan Camilo Valencia (Jan 30)
- Re: Virtual Machines and Hypervisors Joel Esler (Jan 29)
- Re: Virtual Machines and Hypervisors Juan Camilo Valencia (Jan 29)
- Re: Virtual Machines and Hypervisors Ulric Eriksson (Jan 30)
- Re: Virtual Machines and Hypervisors Juan Camilo Valencia (Jan 30)
- Re: Virtual Machines and Hypervisors Joel Esler (Jan 29)
- Message not available
- Fwd: Re: Virtual Machines and Hypervisors Mikael Keri (Jan 29)
- Re: Virtual Machines and Hypervisors Joel Esler (Jan 29)
- Re: Virtual Machines and Hypervisors mikael keri (Jan 29)
- Re: Virtual Machines and Hypervisors Joel Esler (Jan 29)
- Re: Virtual Machines and Hypervisors Juan Camilo Valencia (Jan 30)
- Fwd: Re: Virtual Machines and Hypervisors Mikael Keri (Jan 29)