[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Xen/Snort sensor VM network config






I am attempting to create an IDS appliance proof-of-concept using Xen to
virtualize the management server and sensors.  To keep things simple, I am
just trying to get one domU sensor and the domU management VM working
together for now, but plan on using multiple domU sensors eventually.  The
VMs are all configured and ready to go, but the problem I am running into
is an inability to see all the traffic from a switch's monitoring port
using the second NIC.  I am looking for some advice as to how to configure
Xen networking to allow a domU VM to see all traffic going to eth1.

I have tried several different configurations, and scoured the mailing list
archives, but could not find a solution.

I have attempted to create a custom networking script that creates a Xen
bridge for each NIC.  This works, and I can see all the traffic from the
switch when using tcpdump -i peth1 or tcpdump -i xenbr1 in dom0, but all I
can see is L2 broadcast traffic when using tcpdump -i eth1 inside the
sensor domU.  I have also created my own bridge and configured the sensor
domU to use my bridge, but got the same results.  I have thought about
trying to use ebTables to try and turn the bridge into a "hub"  (assuming
this is even possible), but would like to avoid complicating the
configuration any more than necessary.  I can see that Xen is correctly
adding vif[id].1 to my custom bridge (and xenbr1, for that matter), and I
understand why the domU can't see the all traffic from the switch, I'm just
not sure how to configure it so that I can.

I've seen a few references on the lists of people doing this (without
providing details), so I know it can be done, but I'm not sure where to go
from here.

I would like to avoid sending the traffic through dom0 if possible.  I know
it is possible to hide the 2nd NIC from dom0, but I'm not sure how to get
the domU sensor to see it.  Do I just need to compile the NIC driver into
the domU kernel?  I would also like to have eth1 in the domU sensor have no
IP and be incapable of transmitting any traffic.  Essentially, I am trying
to do this (see below), but if anyone can suggest a better configuration, I
would love to hear it.

+------+     +--------+      +---------+
| eth0 |-----| xenbr0 |---+--| dom0    |
+------+     +--------+   |  +---------+
                          |  +---------+
                          +--| mgmtU   |
                          |  +---------+
                          |  +---------+
                          +--| sensorU |
+------+                     |         |
| eth1 |---------------------| <-snort |
+------+                     +---------+


Any advice/suggestions would be greatly appreciated.

Thanks,

Skyler Bingham
This e-mail and files transmitted with it are confidential, and are
intended solely for the use of the individual or entity to whom this e-mail
is addressed.  If you are not the intended recipient, or the employee or
agent responsible to deliver it to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited.  If you are not one of the named
recipient(s) or otherwise have reason to believe that you received this
message in error, please immediately notify security@xxxxxxxxxxxxxxxxxxxx
 by e-mail, and destroy the original message.  Thank You.


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.