Xen users - Jun 2009 - Snort on domU

Hi Everyone,

Can anyone confirm if a xen based domU can be used for snort setup? It is
not for commercial use, rather just SOHO use.

Regards,
dot.yet


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

* dot.yet@gmail.com [2009-06-25 23:08:41]
> Can anyone confirm if a xen based domU can be used for snort setup? It is
> not for commercial use, rather just SOHO use.
You can run snort in a guest, but it won''t see all of the traffic from
the wire.

It gets:
    - traffic to its'' MAC address,
    - traffic with the multicast bit set in the destination address.

In most cases this makes it unusable for snort.

dme.
-- 
David Edmondson, Sun Microsystems, http://dme.org

On Fri, Jun 26, 2009 at 5:09 PM, David Edmondson<dme@sun.com>
wrote:
> * dot.yet@gmail.com [2009-06-25 23:08:41]
>> Can anyone confirm if a xen based domU can be used for snort setup? It
is
>> not for commercial use, rather just SOHO use.
>
> You can run snort in a guest, but it won''t see all of the traffic
from
> the wire.
>
> It gets:
>    - traffic to its'' MAC address,
>    - traffic with the multicast bit set in the destination address.
>
... and how is this different from a physical server, connected to a
switch? Won''t the switch filter out packets not intended for mac
addresses on a particular port?

-- 
Fajar

I would imagine that the bridge acts as its own filtering link, so even if you
used a hub or port mirroring, the domU will only get frames destined for it.
Best Regards,
Nathan Eisenberg
Sr. Systems Administrator
Atlas Networks, LLC

Sent from my BlackBerry

-----Original Message-----
From: "Fajar A. Nugraha" <fajar@fajar.net>

Date: Fri, 26 Jun 2009 22:56:40 
To: David Edmondson<dme@sun.com>
Cc: <xen-discuss@opensolaris.org>; <xen-users@lists.xensource.com>;
Dot Yet<dot.yet@gmail.com>
Subject: [Xen-users] Re: [xen-discuss] Snort on domU


On Fri, Jun 26, 2009 at 5:09 PM, David Edmondson<dme@sun.com>
wrote:
> * dot.yet@gmail.com [2009-06-25 23:08:41]
>> Can anyone confirm if a xen based domU can be used for snort setup? It
is
>> not for commercial use, rather just SOHO use.
>
> You can run snort in a guest, but it won't see all of the traffic from
> the wire.
>
> It gets:
>    - traffic to its' MAC address,
>    - traffic with the multicast bit set in the destination address.
>
... and how is this different from a physical server, connected to a
switch? Won't the switch filter out packets not intended for mac
addresses on a particular port?

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users





_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I believe Fajar was implying that it would be no different than
having a switch between the switch where one is using port mirroring and the
machine one using for snort.  It might even be possible to send other
traffic to a specific destination on said switch as well, but that is more
of a Linux bridging question.  Regardless, a switch is a multiport bridge,
and so is the bridging used in Xen.  ;)
	Dustin

-----Original Message-----
From: xen-users-bounces@lists.xensource.com
[mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Nathan Eisenberg
Sent: Friday, June 26, 2009 12:02
To: xen-users@lists.xensource.com
Subject: Re: [Xen-users] Re: [xen-discuss] Snort on domU

I would imagine that the bridge acts as its own filtering link, so even if
you used a hub or port mirroring, the domU will only get frames destined for
it.
Best Regards,
Nathan Eisenberg
Sr. Systems Administrator
Atlas Networks, LLC

Sent from my BlackBerry

-----Original Message-----
From: "Fajar A. Nugraha" <fajar@fajar.net>

Date: Fri, 26 Jun 2009 22:56:40 
To: David Edmondson<dme@sun.com>
Cc: <xen-discuss@opensolaris.org>; <xen-users@lists.xensource.com>;
Dot
Yet<dot.yet@gmail.com>
Subject: [Xen-users] Re: [xen-discuss] Snort on domU


On Fri, Jun 26, 2009 at 5:09 PM, David Edmondson<dme@sun.com>
wrote:
> * dot.yet@gmail.com [2009-06-25 23:08:41]
>> Can anyone confirm if a xen based domU can be used for snort setup? It
is
>> not for commercial use, rather just SOHO use.
>
> You can run snort in a guest, but it won''t see all of the traffic
from
> the wire.
>
> It gets:
>    - traffic to its'' MAC address,
>    - traffic with the multicast bit set in the destination address.
>
... and how is this different from a physical server, connected to a
switch? Won''t the switch filter out packets not intended for mac
addresses on a particular port?

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users







_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

* fajar@fajar.net [2009-06-26 16:56:40]
> On Fri, Jun 26, 2009 at 5:09 PM, David Edmondson<dme@sun.com> wrote:
>> * dot.yet@gmail.com [2009-06-25 23:08:41]
>>> Can anyone confirm if a xen based domU can be used for snort setup?
It is
>>> not for commercial use, rather just SOHO use.
>>
>> You can run snort in a guest, but it won''t see all of the
traffic from
>> the wire.
>>
>> It gets:
>>    - traffic to its'' MAC address,
>>    - traffic with the multicast bit set in the destination address.
>>
>
> ... and how is this different from a physical server, connected to a
> switch? Won''t the switch filter out packets not intended for mac
> addresses on a particular port?
Most switches do this, yes. In that case it''s usually possible to put a
switch port into monitor mode, which means that it gets all
packets. This isn''t currently possible with the Solaris VNIC
implementation.

dme.
-- 
David Edmondson, Sun Microsystems, http://dme.org

So does that mean the
Crossbow<http://www.opensolaris.org/os/project/crossbow/>project on
opensolaris does not cater to this kind of requirement yet?
rgds,
dot.yet

On Fri, Jun 26, 2009 at 12:54 PM, David Edmondson <dme@sun.com> wrote:
> * fajar@fajar.net [2009-06-26 16:56:40]
> > On Fri, Jun 26, 2009 at 5:09 PM, David Edmondson<dme@sun.com>
wrote:
> >> * dot.yet@gmail.com [2009-06-25 23:08:41]
> >>> Can anyone confirm if a xen based domU can be used for snort
setup? It
> is
> >>> not for commercial use, rather just SOHO use.
> >>
> >> You can run snort in a guest, but it won''t see all of the
traffic from
> >> the wire.
> >>
> >> It gets:
> >>    - traffic to its'' MAC address,
> >>    - traffic with the multicast bit set in the destination
address.
> >>
> >
> > ... and how is this different from a physical server, connected to a
> > switch? Won''t the switch filter out packets not intended for
mac
> > addresses on a particular port?
>
> Most switches do this, yes. In that case it''s usually possible to
put a
> switch port into monitor mode, which means that it gets all
> packets. This isn''t currently possible with the Solaris VNIC
> implementation.
>
> dme.
> --
> David Edmondson, Sun Microsystems, http://dme.org
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

* dot.yet@gmail.com [2009-06-28 03:16:13]
> So does that mean the
> Crossbow<http://www.opensolaris.org/os/project/crossbow/>project on
> opensolaris does not cater to this kind of requirement yet?
We would need to make small changes to the Crossbow implementation,
yes. It would also be necessary to add some policy hooks to our backend
driver implementation to allow an administrator to indicate which guest
domains should be allowed to have all traffic (and perhaps a small
protocol extension to allow the guest to enable it?).

dme.
-- 
David Edmondson, Sun Microsystems, http://dme.org