[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Re: Snort on domU

* fajar@xxxxxxxxx [2009-06-26 16:56:40]
> On Fri, Jun 26, 2009 at 5:09 PM, David Edmondson<dme@xxxxxxx> wrote:
>> * dot.yet@xxxxxxxxx [2009-06-25 23:08:41]
>>> Can anyone confirm if a xen based domU can be used for snort setup? It is
>>> not for commercial use, rather just SOHO use.
>> You can run snort in a guest, but it won't see all of the traffic from
>> the wire.
>> It gets:
>> Â Â- traffic to its' MAC address,
>> Â Â- traffic with the multicast bit set in the destination address.
> ... and how is this different from a physical server, connected to a
> switch? Won't the switch filter out packets not intended for mac
> addresses on a particular port?

Most switches do this, yes. In that case it's usually possible to put a
switch port into monitor mode, which means that it gets all
packets. This isn't currently possible with the Solaris VNIC

David Edmondson, Sun Microsystems, http://dme.org

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.