Re: snort sensor on virtual machine...[?]

[Corbin Fletcher <corbin () freeway com>]

Hello All,

Thanks for all the great feedback. It has been very helpful in my 
decision making and I will let you know what direction we finally take. 
I will surely have additional questions.

~Corbin

On 04/11/2012 09:44 AM, Jefferson, Shawn wrote:
> Hi,
>
> We've setup span ports, but they are directly connected to one of the physical NICs on the VMware server.  I have the 
> same setup, but I use network taps, with physical NICs dedicated to the tap connection.  Once you do that, you can 
> have multiple virtual machines using that tap port though. (I have a snort sensor and a pcap and streamdb server.)
>
>
> -----Original Message-----
> From: Paul Marin [mailto:pmarinh45 () gmail com]
> Sent: Wednesday, April 11, 2012 9:34 AM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] snort sensor on virtual machine...[?]
>
> Hi,
>
> I am not completely sure, but I believe you cannot set up a virtual nic for capturing packets from a SPAN/mirror port 
> since you don't have direct physical access to the port. This is something i tried to accomplish in VMware ESXi and i 
> couldn't. I don't know if others virtualization software can do that. (Someone please correct me if I'm wrong).
>
> So, this is something to take in count when running snort in a vm.
>
> By other hand, snort tends to consume a lot of CPU resources. So, maybe it's better to dedicate a whole server to 
> snort instead of sharing it with others apps.
>
> However, if you are planning to run add-on tools like sguil or snortsam, the sguil-server and the snortsam-agent 
> components can surely be run in virtual enviroments.
>
> Kindly,
>
> Paul
>
>
> El 11/04/2012 10:52 a.m., Corbin Fletcher escribió:
> > Greetings Snort community,
> >
> > I am a member of a small team who operates a data center. Our company
> > provides VoIP services for corporations. We utilize primarily open
> > source application. We run Debian and CentOS, FreeSwitch, OpenSIP,
> > MySQL Elastix, FreePBX, Proxmox, etc.
> >
> > We receive a good number of SIP brute force attacks, and other
> > security breaches on our network. And this is the reason for my email.
> >
> > As a team we have agreed to implement a Snort sensor as a NIDS. We are
> > currently not running any IDS and we rely on analyzing logs to be
> > alerted to our network attacks.
> >
> > I would like to install a Snort sensor at the edge of our network on
> > its own dedicate machine and have it sniff all network traffic.
> >
> > Another team member wants to run Snort on a Proxmox cluster in a
> > virtual environment.
> >
> > Can anyone advise about the pros and cons for each approach?
> >
> > Or, could someone please advise on best practices for implementing a
> > Snort sensor on our network?
> >
> > Thanks in advance.
> >
> > ~Corbin
> >
> >
> > ----------------------------------------------------------------------
> > -------- Better than sec? Nothing is better than sec when it comes to
> > monitoring Big Data applications. Try Boundary one-second resolution
> > app monitoring today. Free.
> > http://p.sf.net/sfu/Boundary-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary 
> one-second resolution app monitoring today. Free.
> http://p.sf.net/sfu/Boundary-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Better than sec? Nothing is better than sec when it comes to
> monitoring Big Data applications. Try Boundary one-second
> resolution app monitoring today. Free.
> http://p.sf.net/sfu/Boundary-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!