Snort mailing list archives
Monitoring workstation for Snort - Virtualization question
From: Research <research () nativemethods com>
Date: Sun, 19 Jul 2015 19:13:10 -0400
Hello, I am setting up a workstation to act as a Snort sensor for my network. For the host OS for the sensor, I’d like to use Mac OS X 10.10.4 (current release + service pack). I would then like to use VMware Fusion 7 to host a guest OS with Ubuntu 14.04 LTS as the true monitoring OS that Snort will run on. VMware will thus allow me to have snapshots to revert to if the guest OS is compromised. I am aware that using VMware ESXi as the host OS is probably preferable, but am constrained from doing so in this particular project. To allow traffic to pass to the guest OS, I have configured it use bridged mode and have configured the virtual NIC to run in promiscuous mode. My question relates to protecting the host OS - Mac OS X. My plan is to create a pf (Mac OS X firewall), ruleset on the Mac that blocks all traffic on the workstation physical NIC - en0. I am then *assuming* that traffic that is destined for the Snort sensor guest OS will be over the virtual NIC. The Snort sensor guest OS will be configured with a routable IP address and the workstation will sit in the DMZ of my network. Am I correct that even though the physical Ethernet adaptor (en0), has traffic inbound blocked that traffic destined for the VMware virtual NIC will still flow through and thus reach the guest OS with Snort in it ? My number one priority here is to prevent malicious traffic from targeting the host OS. I am aware that this question covers my configuration regarding VMware rather than Snort, but I have asked this question in snort-users because I am curious if anyone has attempted anything similar (i.e.: using a Windows client OS with VMware on top for guest Snort monitors), and can provide any insight. Thank you ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Monitoring workstation for Snort - Virtualization question Research (Jul 22)