Itamar,
  Wow this is awesome.  I set up the port mirror vnic profile (had never used vnic profiles before on oVirt, but it was super easy) and all is working as it should.  Thanks for the input!

Antoni,
   I had installed the macspoof hook, thanks for the response.

On Mon, Sep 29, 2014 at 10:17 AM, Itamar Heim <iheim@redhat.com> wrote:
On 09/29/2014 04:24 PM, Antoni Segura Puimedon wrote:


----- Original Message -----
From: "Pat Pierson" <ihasn2004@gmail.com>
To: users@ovirt.org
Sent: Monday, September 29, 2014 3:07:53 PM
Subject: [ovirt-users] oVirt and Snort

I am attempting to use Snort as an IDS on my network. Currently I have all
traffic on my router uplink port mirrored to a port I have plugged into an
unused port on an oVirt node. I have created a network that only has access
to that port and assigned that network to my snort vm. I am able to see
broadcast traffic (DHCP requests, DNS discoveries, ect) when I listen to
that port but no direct IP to IP traffic. I believe it has something to do
with macspoofing but I am not sure I have set that up correctly for this
host. Has anyone seen documentation on properly setting up macspoofing or
using snort on a virtual infrastructure like oVirt??

Did you install the macspoof hook in that machine and set it up for the vnic?

 why is that needed for listening only? just creating a vnic profile with port mirroring should work out of the box with no hooks?




--
Patrick Pierson

_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users





--
Patrick Pierson