<div dir="ltr"><div><div>Itamar,<br></div> Wow this is awesome. I set up the port mirror vnic profile (had never used vnic profiles before on oVirt, but it was super easy) and all is working as it should. Thanks for the input!<br><br>Antoni,<br></div> I had installed the macspoof hook, thanks for the response. <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 29, 2014 at 10:17 AM, Itamar Heim <span dir="ltr"><<a href="mailto:iheim@redhat.com" target="_blank">iheim@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 09/29/2014 04:24 PM, Antoni Segura Puimedon wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
----- Original Message -----<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
From: "Pat Pierson" <<a href="mailto:ihasn2004@gmail.com" target="_blank">ihasn2004@gmail.com</a>><br>
To: <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br>
Sent: Monday, September 29, 2014 3:07:53 PM<br>
Subject: [ovirt-users] oVirt and Snort<br>
<br>
I am attempting to use Snort as an IDS on my network. Currently I have all<br>
traffic on my router uplink port mirrored to a port I have plugged into an<br>
unused port on an oVirt node. I have created a network that only has access<br>
to that port and assigned that network to my snort vm. I am able to see<br>
broadcast traffic (DHCP requests, DNS discoveries, ect) when I listen to<br>
that port but no direct IP to IP traffic. I believe it has something to do<br>
with macspoofing but I am not sure I have set that up correctly for this<br>
host. Has anyone seen documentation on properly setting up macspoofing or<br>
using snort on a virtual infrastructure like oVirt??<br>
</blockquote>
<br>
Did you install the macspoof hook in that machine and set it up for the vnic?<br>
</blockquote>
<br></span>
why is that needed for listening only? just creating a vnic profile with port mirroring should work out of the box with no hooks?<div class="HOEnZb"><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
--<br>
Patrick Pierson<br>
<br>
______________________________<u></u>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/<u></u>mailman/listinfo/users</a><br>
<br>
</blockquote>
______________________________<u></u>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/<u></u>mailman/listinfo/users</a><br>
<br>
</blockquote>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Patrick Pierson
</div>