Xen project Mailing List

[Xen-users] Re: Snort on domU

To: xen-discuss@xxxxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxxxxxxxx

Date: Sat, 27 Jun 2009 22:16:13 -0400

Cc:

Delivery-date: Sat, 27 Jun 2009 19:17:01 -0700

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=AAfrR13E6cWXBALWyVd26OYWmYaS3sw9rCgKp6pZG7bVTQ8uX4bwC1vH91JGymmEjA 10gt1Y4s+kTEgO6PcRGIK2s7PkVYoCM4GeXfjwwrKVYTb1kPL1Rf+jhtxnzvT+QPBZjB EQLVacY2aO3S40xBRil1U8d73zNzCVus0ldTA=

List-id: Xen user discussion <xen-users.lists.xensource.com>

Crossbow

rgds,

dot.yet

On Fri, Jun 26, 2009 at 12:54 PM, David Edmondson <dme@xxxxxxx> wrote:

* fajar@xxxxxxxxx [2009-06-26 16:56:40]

> On Fri, Jun 26, 2009 at 5:09 PM, David Edmondson<dme@xxxxxxx> wrote:
>> * dot.yet@xxxxxxxxx [2009-06-25 23:08:41]
>>> Can anyone confirm if a xen based domU can be used for snort setup? It is
>>> not for commercial use, rather just SOHO use.
>>
>> You can run snort in a guest, but it won't see all of the traffic from
>> the wire.
>>
>> It gets:
>> - traffic to its' MAC address,
>> - traffic with the multicast bit set in the destination address.
>>
>
> ... and how is this different from a physical server, connected to a
> switch? Won't the switch filter out packets not intended for mac
> addresses on a particular port?

Most switches do this, yes. In that case it's usually possible to put a
switch port into monitor mode, which means that it gets all
packets. This isn't currently possible with the Solaris VNIC
implementation.

dme.
--
David Edmondson, Sun Microsystems, http://dme.org

_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

Follow-Ups:

[Xen-users] Re: Snort on domU
- From: David Edmondson