Re: Snort VM monitoring other VMs (virtual environment)

[Mike Lococo <mikelococo () gmail com>]

> I am running Snort 2.9 on a virtual machine with 1 NIC (eth0) and I
> manage to detect and log alerts generated from it. (I will call it
> Snort-VM)
>
> My question, if I run another virtual machine (I will call it
> App-VM)within the same network of the Snort-VM (same subnet mask).
> Will I be able to configure Snort-VM to pick up traffic generated
> from App-VM?
>
> So in general, Is it even possible to let Snort log traffic for other
> virtual machines?

It is possible.  There are two general paths:

1) Configure your vswitch to ship the traffic to your sniffer-vm.  It
won't do this by default, but it can be done.
2) Use a virtual-appliance of some kind that supports sniffing.  Solera
has something, I think, and there are some other security-specific
appliances that hook into VMWare on a fairly low level to monitor
clients in special ways (Anti-Virus VM's that do memory inspection of
all clients on a host, for example).

Check out this link, which has a decent overview of sniffing on ESX:
http://vmetc.com/2009/03/12/virtual-machine-sniffer-on-esx-hosts/

Cheers,
Mike Lococo

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users