PaulDotCom mailing list archives
snort and honeyd
From: paul at pauldotcom.com (Paul Asadoorian)
Date: Tue, 11 Nov 2008 07:00:53 -0500
Hi David, With bridged mode, I am referring to your virtual environment. Assuming VMware, you'd want to capture traffic on your host adapter interface, which *should* see all the traffic for all of the VMs. Sounds like your HOME_NET variable is set correctly. I would try to specifically trigger an alert to one of the virtual IPs and see where its falling down. Log the traffic with a sniffer and make sure the guest VM is receiving the offending packet, then monitor Snort and see if an alert is triggered. Cheers, Paul David Grubers wrote:
Paul, By bridged mode, do you mean snort_inline, or some other functionality that I am overlooking? I set HOME_NET to the entire /24 (which I do have control of) but I seem to only get warnings for the host's IP. Do I need to use snort_inline so I can get data from the iptables queue, or does plain-old snort have the functionality to do what I want and I just haven't configured it right? Joe, thanks for your ideas. HOME_NET is correct, and I am in the process of checking out the honeynet project, which is what I assume you were referring to (honeywall is for true honeynets, whereas honeyd just emulates hosts). David 2008/11/6 Paul Asadoorian <paul at pauldotcom.com>:Hi David, Just a thought, if you run Snort on the host machine, and its in bridged mode, won't you see all the traffic from the VMs? Cheers, Paul David Grubers wrote:I've got a honeyd server with about 5 virtual machines, with snort running on the host. Can anyone give some wisdom on configuring snort to generate alerts for all the IPs (they are sequential) instead of just the host box? Thanks, David _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 257 bytes Desc: OpenPGP digital signature Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081111/0c1b9b26/attachment.pgp
Current thread:
- snort and honeyd David Grubers (Nov 05)
- snort and honeyd Joel Esler (Nov 06)
- snort and honeyd Paul Asadoorian (Nov 06)
- snort and honeyd David Grubers (Nov 09)
- snort and honeyd Paul Asadoorian (Nov 11)
- snort and honeyd David Grubers (Nov 09)