Snort mailing list archives

RE: Snort in VMware

From: "Douglas McCrea" <dmccrea () rutgers edu>
Date: Wed, 18 Feb 2004 14:03:25 -0500

From my experience with VMware, I would suggest installing an ethernet

card devoted to (not bridged) the VMware server. You need to add the NIC
to the host system, then add the adapter to one of the VMware Nic slots
on the Host Virtual Network Mappping tab under Virtaul Network Editor.
This should give you the best performance. You can also try this with
the NIC that is already on the host just to see if it works instead of
using a bridged connection. I'm not sure if winpcap needs to be
installed on your host, somebody may want to contribute their $.02 on
that. Remember also that the NIC is emulated to an AMD PCNet card when
bridged or local only- I'm not sure if this is the case when directly
mapped, so you may have to play with the settings to enable promiscuous
mode for that NIC on the VMware client system within Linux.

-Doug


-----Original Message-----
From: Brian McNeilly [mailto:bmcneilly () shaw ca] 
Sent: Wednesday, February 18, 2004 1:33 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort in VMware


Hi,

Here's a summary of my setup: I am using VMware GSX Server for my Snort
box. The guest OS where Snort is installed is running RedHat9, and the
host is running Windows XP Pro.

Everything seems to work great, except I can only see packets coming to
and from my host IP address: nothing else from the network appears in
the Snort logs. The host machine is connected to a non-switching hub,
and the linux interface on the guest is set to promiscuous mode. What I
want to scan is every packet going through the hub, regardless of the
source and destination addresses.

Has anyone had issues with running Snort on a VMware guest? Is there
anything else I need to check to make sure my connection sees all the
packets from the hub?

Thanks for your help,
Brian McNeilly
------------------------------------------------------- SF.Net is
sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps &
Web services for Linux with a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users 


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort in VMware Brian McNeilly (Feb 18)
- Re: Snort in VMware Stephen W. Thompson (Feb 19)
- <Possible follow-ups>
- RE: Snort in VMware Douglas McCrea (Feb 18)
- Re: Snort in VMware M. Morgan (Feb 18)
  - Re: Snort in VMware Jeff (Feb 18)
- RE: Snort in VMware DM (Feb 19)
- Re: Snort in VMware Brian McNeilly (Feb 19)
- Re: Snort in VMware M. Morgan (Feb 19)
  - Re: Snort in VMware Mark Fagan (Feb 19)
    - OT: Re: Snort in VMware/hubs Jeff (Feb 19)
    - Re: Snort in VMware Michael Stone (Feb 23)