Re: snort sensor on virtual machine...

[Ian Bowers <iggdawg () gmail com>]

Hi all,

I'm reply from digest, so I apologize if this has already been answered.

I actually have a snort setup with ESXi right now. Not only is it possible,
but there are some advantages to doing it on a VM.  the only requirement as
far as the ESXi host goes is having 2 physical NICs.

First, setting it up is easy.   Basically you have your ESXi host with 2
physical NICs.  in this example, vmnic0 is assigned to vswitch0, and vmnic1
is assigned to vswitch1. vswitch0 operates as normal with all your VMs on
it, talking to the outside switch as it always would.  vswitch1 is set up
as a plain virtual switch with one VM Network assigned to it.  I labeled
mine "SpanNetwork" to differentiate it from the other port group not using
VLAN tags.  Your snort box is set up on a VM with 2 virtual NICs.  One NIC
is set up as normal, going through vswitch0 to whatever vlan you need it to
go to for remote access. The other is assigned to SpanNetwork on vswitch1.

Next set up the SPAN port on your switch and connect the destination port
to vmnic1 on your ESXi host.  That's all there is to it.  The reason this
works is that the SPAN traffic is just mirrored packets.  when vswitch1
gets them, it behaves like a proper switch and floods all ports except the
incident port with the traffic. in this case there's only one other port,
which goes to the sensor interface on the snort VM.  I think you might need
to turn on promiscuous mode on vswitch1, but I'm not certain.

The light might have already gone off in your head, but this is where the
bonus lies.  Any VM on that ESXi box can have an interface on vswitch1 and
will get a copy of the traffic.  On my ESXi host right now I have two
Security Onion boxes set up, one running Snort and the other running
Suricata, to compare how they both operate in my environment.  It works
great, they both get perfect copies of the traffic to their sensor
interfaces.

Regards,
Ian

Message: 1
> Date: Wed, 11 Apr 2012 12:03:56 -0430
> From: Paul Marin <pmarinh45 () gmail com>
> Subject: Re: [Snort-users] snort sensor on virtual machine...[?]
> To: snort-users () lists sourceforge net
> Message-ID: <4F85B274.1060309 () gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi,
>
> I am not completely sure, but I believe you cannot set up a virtual nic
> for capturing packets from a SPAN/mirror port since you don't have
> direct physical access to the port. This is something i tried to
> accomplish in VMware ESXi and i couldn't. I don't know if others
> virtualization software can do that. (Someone please correct me if I'm
> wrong).
>
> So, this is something to take in count when running snort in a vm.
>
> By other hand, snort tends to consume a lot of CPU resources. So, maybe
> it's better to dedicate a whole server to snort instead of sharing it
> with others apps.
>
> However, if you are planning to run add-on tools like sguil or snortsam,
> the sguil-server and the snortsam-agent components can surely be run in
> virtual enviroments.
>
> Kindly,
>
> Paul
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!