Snort mailing list archives
Re: Virtual Machines and Hypervisors
From: Juan Camilo Valencia <juan.valencia () seguratec com co>
Date: Tue, 29 Jan 2013 10:00:11 -0500
Hi Joel, Great thank you, I'm going to try. Regards, On Tue, Jan 29, 2013 at 9:36 AM, Joel Esler <jesler () sourcefire com> wrote:
No, not really (vms sending identifying traffic), the best detection method is detection of multiple macs from a single IP, or multiple IPs from a single mac. On Jan 29, 2013, at 9:24 AM, Juan Camilo Valencia < camilo.valencia13 () gmail com> wrote: Hi Guys, I thought that maybe the VM generate some kind of flags in the headers of the protocols to communicate in the network. Basically I can detect the MAC address and associate them with and IP address, however there are scenarios that the people can change the MAC address and the method that I use is not valid. But Thanks a lot for your fast answer, Best Regards, On Tue, Jan 29, 2013 at 9:06 AM, Joel Esler <jesler () sourcefire com> wrote:On Jan 29, 2013, at 7:59 AM, Juan Camilo Valencia < juan.valencia () seguratec com co> wrote: Hi Guys, I am trying to find a way to ban virtual machines and hypervisors in our network, I made a quicly research and I didn't found anything. Can somebody tell me if exist a way or a method to detect that, one of my ideas is when the VM is configured in NAT mode detect that kind of traffic, but the problem is when the VM is configured in bridge mode. It's a bit difficult to take care of this task via Snort as it involves tracking host vs. mac address vs. traffic. Snort doesn't help inherently with this. Sourcefire makes another product that does this (it's not open source) in our commercial products. -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire-- JUAN CAMILO VALENCIA VARGAS Ingeniero de Operaciones SeguraTec S.A.S Calle 11 # 43B-50 of 307 Medelllín Colombia *“Choose a job you love, and you will never have to work a day in your life”*
-- JUAN CAMILO VALENCIA VARGAS Ingeniero de Operaciones SeguraTec S.A.S Calle 11 # 43B-50 of 307 Medelllín Colombia *“Choose a job you love, and you will never have to work a day in your life” *
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Virtual Machines and Hypervisors Juan Camilo Valencia (Jan 29)
- Re: Virtual Machines and Hypervisors Joel Esler (Jan 29)
- Re: Virtual Machines and Hypervisors Juan Camilo Valencia (Jan 30)
- Re: Virtual Machines and Hypervisors Joel Esler (Jan 29)
- Re: Virtual Machines and Hypervisors Juan Camilo Valencia (Jan 29)
- Re: Virtual Machines and Hypervisors Ulric Eriksson (Jan 30)
- Re: Virtual Machines and Hypervisors Juan Camilo Valencia (Jan 30)
- Re: Virtual Machines and Hypervisors Joel Esler (Jan 29)
- Message not available
- Fwd: Re: Virtual Machines and Hypervisors Mikael Keri (Jan 29)
- Re: Virtual Machines and Hypervisors Joel Esler (Jan 29)
- Re: Virtual Machines and Hypervisors mikael keri (Jan 29)
- Re: Virtual Machines and Hypervisors Joel Esler (Jan 29)
- Re: Virtual Machines and Hypervisors Juan Camilo Valencia (Jan 30)
- Fwd: Re: Virtual Machines and Hypervisors Mikael Keri (Jan 29)