[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Re: [xen-discuss] Snort on domU

  • To: <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Dustin Henning" <Dustin.Henning@xxxxxxxxxxx>
  • Date: Fri, 26 Jun 2009 12:29:44 -0400
  • Delivery-date: Fri, 26 Jun 2009 09:31:14 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Thread-index: Acn2eepZh6BKbc1TSYmR8wFQYlsOZAAAPBjQ
        I believe Fajar was implying that it would be no different than
having a switch between the switch where one is using port mirroring and the
machine one using for snort.  It might even be possible to send other
traffic to a specific destination on said switch as well, but that is more
of a Linux bridging question.  Regardless, a switch is a multiport bridge,
and so is the bridging used in Xen.  ;)
        Dustin

-----Original Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Nathan Eisenberg
Sent: Friday, June 26, 2009 12:02
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Re: [xen-discuss] Snort on domU

I would imagine that the bridge acts as its own filtering link, so even if
you used a hub or port mirroring, the domU will only get frames destined for
it.
Best Regards,
Nathan Eisenberg
Sr. Systems Administrator
Atlas Networks, LLC

Sent from my BlackBerry

-----Original Message-----
From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>

Date: Fri, 26 Jun 2009 22:56:40 
To: David Edmondson<dme@xxxxxxx>
Cc: <xen-discuss@xxxxxxxxxxxxxxx>; <xen-users@xxxxxxxxxxxxxxxxxxx>; Dot
Yet<dot.yet@xxxxxxxxx>
Subject: [Xen-users] Re: [xen-discuss] Snort on domU


On Fri, Jun 26, 2009 at 5:09 PM, David Edmondson<dme@xxxxxxx> wrote:
> * dot.yet@xxxxxxxxx [2009-06-25 23:08:41]
>> Can anyone confirm if a xen based domU can be used for snort setup? It is
>> not for commercial use, rather just SOHO use.
>
> You can run snort in a guest, but it won't see all of the traffic from
> the wire.
>
> It gets:
>    - traffic to its' MAC address,
>    - traffic with the multicast bit set in the destination address.
>

... and how is this different from a physical server, connected to a
switch? Won't the switch filter out packets not intended for mac
addresses on a particular port?

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users







_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.