snort and honeyd

[david.grubers at gmail.com (David Grubers)]

Paul,

By bridged mode, do you mean snort_inline, or some other functionality
that I am overlooking? I set HOME_NET to the entire /24 (which I do
have control of) but I seem to only get warnings for the host's IP. Do
I need to use snort_inline so I can get data from the iptables queue,
or does plain-old snort have the functionality to do what I want and I
just haven't configured it right?

Joe, thanks for your ideas. HOME_NET is correct, and I am in the
process of checking out the honeynet project, which is what I assume
you were referring to (honeywall is for true honeynets, whereas honeyd
just emulates hosts).

David


2008/11/6 Paul Asadoorian <paul at pauldotcom.com>:
> Hi David,
>
> Just a thought, if you run Snort on the host machine, and its in bridged
> mode, won't you see all the traffic from the VMs?
>
> Cheers,
> Paul
>
> David Grubers wrote:
> > I've got a honeyd server with about 5 virtual machines, with snort
> > running on the host. Can anyone give some wisdom on configuring snort
> > to generate alerts for all the IPs (they are sequential) instead of
> > just the host box?
> >
> > Thanks,
> > David
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> --
> Paul Asadoorian
> PaulDotCom Enterprises
> Web: http://pauldotcom.com
> Phone: 401.829.9552
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com