4:07 p.m.
I am attempting to use Snort as an IDS on my network. Currently I have all
traffic on my router uplink port mirrored to a port I have plugged into an
unused port on an oVirt node. I have created a network that only has
access to that port and assigned that network to my snort vm. I am able to
see broadcast traffic (DHCP requests, DNS discoveries, ect) when I listen
to that port but no direct IP to IP traffic. I believe it has something to
do with macspoofing but I am not sure I have set that up correctly for this
host. Has anyone seen documentation on properly setting up macspoofing or
using snort on a virtual infrastructure like oVirt??
--
Patrick Pierson
4:24 p.m.
----- Original Message -----
From: "Pat Pierson" <ihasn2004(a)gmail.com>
To: users(a)ovirt.org
Sent: Monday, September 29, 2014 3:07:53 PM
Subject: [ovirt-users] oVirt and Snort
I am attempting to use Snort as an IDS on my network. Currently I have all
traffic on my router uplink port mirrored to a port I have plugged into an
unused port on an oVirt node. I have created a network that only has access
to that port and assigned that network to my snort vm. I am able to see
broadcast traffic (DHCP requests, DNS discoveries, ect) when I listen to
that port but no direct IP to IP traffic. I believe it has something to do
with macspoofing but I am not sure I have set that up correctly for this
host. Has anyone seen documentation on properly setting up macspoofing or
using snort on a virtual infrastructure like oVirt??
Did you install the macspoof hook in that machine and set it up for the vnic?
--
Patrick Pierson
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
5:17 p.m.
On 09/29/2014 04:24 PM, Antoni Segura Puimedon wrote:
----- Original Message -----
> From: "Pat Pierson" <ihasn2004(a)gmail.com>
> To: users(a)ovirt.org
> Sent: Monday, September 29, 2014 3:07:53 PM
> Subject: [ovirt-users] oVirt and Snort
>
> I am attempting to use Snort as an IDS on my network. Currently I have all
> traffic on my router uplink port mirrored to a port I have plugged into an
> unused port on an oVirt node. I have created a network that only has access
> to that port and assigned that network to my snort vm. I am able to see
> broadcast traffic (DHCP requests, DNS discoveries, ect) when I listen to
> that port but no direct IP to IP traffic. I believe it has something to do
> with macspoofing but I am not sure I have set that up correctly for this
> host. Has anyone seen documentation on properly setting up macspoofing or
> using snort on a virtual infrastructure like oVirt??
Did you install the macspoof hook in that machine and set it up for the vnic?
why is that needed for listening only? just creating a vnic profile with
port mirroring should work out of the box with no hooks?
>
> --
> Patrick Pierson
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
6:03 p.m.
Itamar,
Wow this is awesome. I set up the port mirror vnic profile (had never
used vnic profiles before on oVirt, but it was super easy) and all is
working as it should. Thanks for the input!
Antoni,
I had installed the macspoof hook, thanks for the response.
On Mon, Sep 29, 2014 at 10:17 AM, Itamar Heim <iheim(a)redhat.com> wrote:
On 09/29/2014 04:24 PM, Antoni Segura Puimedon wrote:
>
>
> ----- Original Message -----
>
>> From: "Pat Pierson" <ihasn2004(a)gmail.com>
>> To: users(a)ovirt.org
>> Sent: Monday, September 29, 2014 3:07:53 PM
>> Subject: [ovirt-users] oVirt and Snort
>>
>> I am attempting to use Snort as an IDS on my network. Currently I have
>> all
>> traffic on my router uplink port mirrored to a port I have plugged into
>> an
>> unused port on an oVirt node. I have created a network that only has
>> access
>> to that port and assigned that network to my snort vm. I am able to see
>> broadcast traffic (DHCP requests, DNS discoveries, ect) when I listen to
>> that port but no direct IP to IP traffic. I believe it has something to
>> do
>> with macspoofing but I am not sure I have set that up correctly for this
>> host. Has anyone seen documentation on properly setting up macspoofing or
>> using snort on a virtual infrastructure like oVirt??
>>
>
> Did you install the macspoof hook in that machine and set it up for the
> vnic?
>
why is that needed for listening only? just creating a vnic profile with
port mirroring should work out of the box with no hooks?
>
>> --
>> Patrick Pierson
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
--
Patrick Pierson
3707
days inactive
3707
days old
3 comments
3 participants
participants (3)
-
Antoni Segura Puimedon -
Itamar Heim -
Pat Pierson