similar to: span port from cisco switch to host to guest using kvm

----- Forwarded message from John <strgout@mail.unixjunkie.com> ----- Date: Mon, 15 Dec 2003 17:58:15 -0600 From: John <strgout@mail.unixjunkie.com> To: freebsd-stable@freebsd.org Subject: interface bonding User-Agent: Mutt/1.4i Is there any way to bond sniffer interfaces? I've read a little on netgraph and it seems like i maybe able to use that but i'm not sure how to go

Hi all, I have been troubled with the traffic flow on the XCP 1.6 and XCP 0.5. - I have 4 servers in VLAN2 on port b12,b13,b14,b15 (these servers work on a XCP 0.5) - on port a3 have have mirrort al ports from a1,a2,a4-b24 - have a other HP server with XCP1.6 with (Debian 6.0.6 as host) and install snort. this has 2 eth carts in it. Eth0 is plugt in the VLAN2 network and

Hi I am using puppet to mirror a directory of files, if any of these change then processes need to be restarted. class snort { package { ["snort", "perl-Archive-Tar", "barnyard2", "perl-libwww-perl", "perl- Crypt-SSLeay"]: ensure => present; } # package user{ "snort": managehome => true,

I have a dependency loop reported but I can not see how this can be: class monitor { class pulledpork ( $master) { exec { "/home/snort/bin/pulledpork -nc conf/$master/pp.conf": cwd => "/home/snort", subscribe => [File["/home/snort/conf/$master/pp"], File[ "/ home/snort/Rules/$master"] ], notify =>

Hi All, I am adding ip_queue module for snort inline IDS. I am using snort2.4.0 And iptables-1.3.4. Userspace Queuing(queue target) is enabled. It is built-in and not built as a module. The output of /proc/net/ip_queue is shown below: cat /proc/net/ip_queue> Peer PID : 0 Copy mode : 0 Copy range : 0 Queue length : 0 Queue max. length : 1024 IPTABLES 1.3.4 is

I figured that someone reading this list might want to take a look at the proceeding, considering that the version of Snort in FreeBSD ports -is- affected. -----Forwarded Message----- > From: CERT Advisory <cert-advisory@cert.org> > To: cert-advisory@cert.org > Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors > Date: 17 Apr 2003 11:30:47 -0400

I made an atempt to run snort_inline and shorewall on the same system but I could not get snort to see the packets. Maybe someone with a little more iptables knowledge could tell me what I''m doing wrong or if its possible to have the systems setup so that it places packets that the firewall would allow into QUEUE. After setting up and starting shorewall I then issue the following

Dear all, I''m setting up a new gateway for a small network (under 30 users)Gw will host the following services:shorewalldnsproxy i''m considering installing snort.can i do so on the same exact box ? is there any security risk of doing so ? box would have 4 ISPs and two internal interfaces. Any recommendation about the optimal setup of snort and shorewall (or if you suggest

Hello all: I tried to install snort under /usr/ports/security and have some problems. with "make all", I checked every item on the menu but I got error messages: ////////////////////////////// laptop# make all ===> snort-2.8.1_1 is marked as broken: FLEXRESP2 patch file does not incorporate cleanly. *** Error code 1 Stop in /usr/ports/security/snort.

hello list, i''ve set up shorewall and snort inline on a linux box. it works, but snort only sees traffic from new connections. and this is because shorewall automatically generates rules to accept established and related connections. how can i force shorewall to queue everything, so that snort can scan the hole traffic like in IDS mode. The setup i have now is really simple, just 2 zones

hi everyone, so,first it seemed a trivial question to me, but since I could not find anybody being neither able to answer this question nor giving a short config example. after a few sleepless nights and exhausting all the reading and research. here I am sharing my problem with all of you, in the hope of some possible solution/sugestion. or is it that this is impossible?? below my

Plus I would like to let you know that it works like a charm. Snort can now see those packets. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Thibodeau, Jamie L. Sent: Wednesday, March 30, 2005 9:25 AM To: Mailing List for Shorewall Users Subject: RE: [Shorewall-users] Shorewall and an inline

From: Andy Lutomirski <luto at amacapital.net> Once virtio starts using the DMA API, we won't be able to safely DMA from the stack. virtio-net does a couple of config DMA requests from small stack buffers -- switch to using dynamically-allocated memory. This should have no effect on any performance-critical code paths. Cc: netdev at vger.kernel.org Cc: "Michael S. Tsirkin"

From: Andy Lutomirski <luto at amacapital.net> Once virtio starts using the DMA API, we won't be able to safely DMA from the stack. virtio-net does a couple of config DMA requests from small stack buffers -- switch to using dynamically-allocated memory. This should have no effect on any performance-critical code paths. Cc: netdev at vger.kernel.org Cc: "Michael S. Tsirkin"

SlashDot had an article today on a Linux server malware attack, <http://it.slashdot.org/story/14/03/18/2218237/malware-attack-infected-25000-linuxunix-servers>. I wonder if there is a simple test to see if a CentOS machine has been infected in this way? The article mentions Yara and Snort rules to test for this, but I wonder if there is something simpler? Alternatively, are there Yara or

Hello, I have created an ovs bridge on which i have attached a port. I would like to connect my vm to that port,so i have created an xml defining the network. The xml is: <network> <name>ovs-snort</name> <forward mode='bridge'/> <bridge name='snort'/> <virtualport type='openvswitch'/> </network> but when i do virsh

Question to the list, Has anyone here had experience using Shorewall (multi-isp configuration) with Snort inline? First, is this possible? Second, if anyone has done this, what documentation, if any did they use to set it up? Third, does snort have to run inline on a firewall (I''m under the impression it does)?

I've been prowling through the FreeBSD and Snort list archives in search of information on setting up snort on a FreeBSD bridge(4) that logs to a remote postgres box via a third interface (hme0) Snort is being started with the following command: /usr/local/bin/snort -A full -D -e -d -s -i fxp0 -c /usr /local/etc/snort.conf Where fxp0 and fxp1 are in the bridge output from sysctl:

In current Crossbow''s implementation, vlan tag seems to be unconditionally retained for promisc mode listener even when MAC_OPEN_FLAGS_TAG_DISABLE is not specified. I saw comments in mac_rx_deliver() saying that this is deliberately designed like this. I''m wondering why we design it like this (choose not to respect MAC_OPEN_FLAGS_TAG_DISABLE flag for promisc mode listener)? Or

You are awesome!!!! -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, March 30, 2005 9:11 AM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Shorewall and an inline IDS (snort-inlineorhogwash) Tom Eastep wrote: > Thibodeau, Jamie L. wrote: >