Snort mailing list archives
Re: snort sensor on virtual machine...
From: Ian Bowers <iggdawg () gmail com>
Date: Wed, 11 Apr 2012 13:15:20 -0400
Hi all, I'm reply from digest, so I apologize if this has already been answered. I actually have a snort setup with ESXi right now. Not only is it possible, but there are some advantages to doing it on a VM. the only requirement as far as the ESXi host goes is having 2 physical NICs. First, setting it up is easy. Basically you have your ESXi host with 2 physical NICs. in this example, vmnic0 is assigned to vswitch0, and vmnic1 is assigned to vswitch1. vswitch0 operates as normal with all your VMs on it, talking to the outside switch as it always would. vswitch1 is set up as a plain virtual switch with one VM Network assigned to it. I labeled mine "SpanNetwork" to differentiate it from the other port group not using VLAN tags. Your snort box is set up on a VM with 2 virtual NICs. One NIC is set up as normal, going through vswitch0 to whatever vlan you need it to go to for remote access. The other is assigned to SpanNetwork on vswitch1. Next set up the SPAN port on your switch and connect the destination port to vmnic1 on your ESXi host. That's all there is to it. The reason this works is that the SPAN traffic is just mirrored packets. when vswitch1 gets them, it behaves like a proper switch and floods all ports except the incident port with the traffic. in this case there's only one other port, which goes to the sensor interface on the snort VM. I think you might need to turn on promiscuous mode on vswitch1, but I'm not certain. The light might have already gone off in your head, but this is where the bonus lies. Any VM on that ESXi box can have an interface on vswitch1 and will get a copy of the traffic. On my ESXi host right now I have two Security Onion boxes set up, one running Snort and the other running Suricata, to compare how they both operate in my environment. It works great, they both get perfect copies of the traffic to their sensor interfaces. Regards, Ian Message: 1
Date: Wed, 11 Apr 2012 12:03:56 -0430 From: Paul Marin <pmarinh45 () gmail com> Subject: Re: [Snort-users] snort sensor on virtual machine...[?] To: snort-users () lists sourceforge net Message-ID: <4F85B274.1060309 () gmail com> Content-Type: text/plain; charset=ISO-8859-1 Hi, I am not completely sure, but I believe you cannot set up a virtual nic for capturing packets from a SPAN/mirror port since you don't have direct physical access to the port. This is something i tried to accomplish in VMware ESXi and i couldn't. I don't know if others virtualization software can do that. (Someone please correct me if I'm wrong). So, this is something to take in count when running snort in a vm. By other hand, snort tends to consume a lot of CPU resources. So, maybe it's better to dedicate a whole server to snort instead of sharing it with others apps. However, if you are planning to run add-on tools like sguil or snortsam, the sguil-server and the snortsam-agent components can surely be run in virtual enviroments. Kindly, Paul
------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: snort sensor on virtual machine... Ian Bowers (Apr 11)
- Re: snort sensor on virtual machine... Dave Corsello (Apr 12)