Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Monitoring workstation for Snort - Virtualization question

From: Research <research () nativemethods com>
Date: Sun, 19 Jul 2015 19:13:10 -0400
Hello,

I am setting up a workstation to act as a Snort sensor for my network.

For the host OS for the sensor, I’d like to use Mac OS X 10.10.4 (current release + service pack).  I would then like 
to use VMware Fusion 7 to host a guest OS with Ubuntu 14.04 LTS as the true monitoring OS that Snort will run on.  
VMware will thus allow me to have snapshots to revert to if the guest OS is compromised.  I am aware that using VMware 
ESXi as the host OS is probably preferable, but am constrained from doing so in this particular project.

To allow traffic to pass to the guest OS, I have configured it use bridged mode and have configured the virtual NIC to 
run in promiscuous mode.

My question relates to protecting the host OS - Mac OS X.  My plan is to create a pf (Mac OS X firewall), ruleset on 
the Mac that blocks all traffic on the workstation physical NIC - en0.  I am then *assuming* that traffic that is 
destined for the Snort sensor guest OS will be over the virtual NIC.  The Snort sensor guest OS will be configured with 
a routable IP address and the workstation will sit in the DMZ of my network.

Am I correct that even though the physical Ethernet adaptor (en0), has traffic inbound blocked that traffic destined 
for the VMware virtual NIC will still flow through and thus reach the guest OS with Snort in it ?  My number one 
priority here is to prevent malicious traffic from targeting the host OS.

I am aware that this question covers my configuration regarding VMware rather than Snort, but I have asked this 
question in snort-users because I am curious if anyone has attempted anything similar (i.e.: using a Windows client OS 
with VMware on top for guest Snort monitors), and can provide any insight.

Thank you
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: