Snort mailing list archives
Re: snort sensor on virtual machine...[?]
From: Mike Hale <eyeronic.design () gmail com>
Date: Wed, 11 Apr 2012 09:42:40 -0700
You can make it work, you just have to dedicate the networks ports in your server to it. Essentially, you create a VSwitch using the NIC you use to get the traffic, and then connect the sniffing interfaces on your snort VM to that vswitch. It was pretty straightforward...feel free to ping me offlist if you'd like any other info on this. On Wed, Apr 11, 2012 at 9:33 AM, Paul Marin <pmarinh45 () gmail com> wrote:
Hi, I am not completely sure, but I believe you cannot set up a virtual nic for capturing packets from a SPAN/mirror port since you don't have direct physical access to the port. This is something i tried to accomplish in VMware ESXi and i couldn't. I don't know if others virtualization software can do that. (Someone please correct me if I'm wrong). So, this is something to take in count when running snort in a vm. By other hand, snort tends to consume a lot of CPU resources. So, maybe it's better to dedicate a whole server to snort instead of sharing it with others apps. However, if you are planning to run add-on tools like sguil or snortsam, the sguil-server and the snortsam-agent components can surely be run in virtual enviroments. Kindly, Paul El 11/04/2012 10:52 a.m., Corbin Fletcher escribió:Greetings Snort community, I am a member of a small team who operates a data center. Our company provides VoIP services for corporations. We utilize primarily open source application. We run Debian and CentOS, FreeSwitch, OpenSIP, MySQL Elastix, FreePBX, Proxmox, etc. We receive a good number of SIP brute force attacks, and other security breaches on our network. And this is the reason for my email. As a team we have agreed to implement a Snort sensor as a NIDS. We are currently not running any IDS and we rely on analyzing logs to be alerted to our network attacks. I would like to install a Snort sensor at the edge of our network on its own dedicate machine and have it sniff all network traffic. Another team member wants to run Snort on a Proxmox cluster in a virtual environment. Can anyone advise about the pros and cons for each approach? Or, could someone please advise on best practices for implementing a Snort sensor on our network? Thanks in advance. ~Corbin ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort sensor on virtual machine...[?] Corbin Fletcher (Apr 11)
- Re: snort sensor on virtual machine...[?] Jefferson, Shawn (Apr 11)
- Re: snort sensor on virtual machine...[?] Paul Marin (Apr 11)
- Re: snort sensor on virtual machine...[?] Paul Marin (Apr 11)
- Re: snort sensor on virtual machine...[?] Mike Hale (Apr 11)
- Re: snort sensor on virtual machine...[?] Paul Marin (Apr 11)
- Re: snort sensor on virtual machine...[?] Jefferson, Shawn (Apr 11)
- Re: snort sensor on virtual machine...[?] Corbin Fletcher (Apr 11)
- Re: snort sensor on virtual machine...[?] Mike Hale (Apr 11)
- Re: snort sensor on virtual machine...[?] Mike Hale (Apr 11)
- Re: snort sensor on virtual machine...[?] Jefferson, Shawn (Apr 11)