Snort - configuration of the switch - sniffing physical and virtual

Hello

There was a bit of discussion on this topic already and I read all those, but I'm still lost as to whether I want to do is possible and how.   I need to have capability of IDS in my vmware environment and physical environment switching.

1. that being said, I don't know where to put snort.

2. I know that I can paste snort on a virtual machine and give it an interface to each vswitch that promiscuity has been traffic on these vswitches, but which is the best way to do it?

3. how to get traffic physics switching down to a virtual machine?  Is it still possible?

I'm on 3.5 and using Foundry switches if it matters.

The other idea I have is to not worry about this and paste my ID in the physical environment, since all traffic inter - VLAN should through the firewall anyway that is on the physical environment of switching.  This protect me from knowing of vm - & gt; VM attacks however.

What is everyone think about this?

Hello

It's the kind where I was at.  The other problem I have is that I need to activate on the whole portgroup or vswitch promiscous.

Only on the portgroup never the vSwitch.

This means that any host in this portgroup can promiscoulsy listen on a map network within this portgroup, right?

That's right, but now you must periodically check the portgroup to ensure that none of the United Nations that allowed VM is on the portgroup.

> As a dashboard that is able to read in several analyzers to snort all the recommendations?

There are a few web based ones. I would check snort.org... I used 'base', but is no longer directly use SNORT. It is integrated into my FWs now.

Best regards
Edward L. Haletky
VMware communities user moderator, VMware vExpert 2009
====
Author of the book ' VMWare ESX Server in the enterprise: planning and securing virtualization servers, Copyright 2008 Pearson Education.
Blue gears and SearchVMware Pro items - top of page links of security virtualization - Security Virtualization Round Table Podcast

Tags: VMware

Similar Questions

  • Update the Configuration of the switch switch 2.1 Executive to 3.5

    Hello world

    I tried the switch 2.1 update Executive to 3.5 and have known, that my configurations have stoppped working. To me, it looks like 3.5 dislikes my IVI configuration for switching modules.

    The function check in MAX tells me that the PXI cards are not available. The first page of the configuration of the switch shows no configuration / terminal blocks.

    Because the configuration consists of nine matrix with lots of report cards, I would really appreciate a way to properly import the old configurations (xml files are available)

    Any ideas?

    See you soon

    Oli

    Hi Oli,

    Yes, there was a major change in the Switch Executive 3.5 - it now uses for switching NI DAQmx calls material. There is a KB document the upgrade process a simulated configuration from an earlier version, but of course, you can try the steps that make sense, too:

    Import of NI Switch Executive 3.0 and previous virtual devices in OR Switch Executive 3.5 and later versions

    http://digital.NI.com/public.nsf/allkb/1D1099A85B156FA68625778500787444

    However, I have noticed that the KB Editor uses a configuration file to .txt instead of the .xml you have. I see two options here: first of all, if you have even an operating system with Switch Executive 2.1, you could probably export settings in the form of text or you can try to modify the .xml file manually to resemble the layout of the text (probably a lot of work, you would have to learn the structure of the text by trial and error using newly created Switch E.g. 3.5 configurations...)

    Best regards

    Sebastian

  • Configuration of the switch SGE2010P

    I am facing a problem during the installation of the switch SGE2010P with UC560. There are two switches in a SF300 and SGE2010P site. The SF300 works very well. But the SGE2010P switch is a problem. I connected the UC560 to the SF300 directly and connected SGE2010P to the SF300. In the two switches, all ports are trunk, not tagged vlan data and tag vlan voice. Switch SGE2010P is offline. Unfortunately, the phones don't work switch not which are connected to SGE2010P. Then I started shooting poorly, not marked all ports which phones are connected only to the voice vlan (vlan data excluded) and set the same ports to be the access port. Set the STP priority to zero. Now some phones work some are not. Can someone suggest what to do to fix this?

    Hi sham, by default the EMS classic switch short tree covering weight. This switch to RSTP. Secondly, you may need to manually set the fast port on all ports. Spanning interfaces of the tree then set the edge port on instead of auto.

    You said that all ports are given vlan not identified, voice vlan tagged, if that's the case, that your configuration of vlan is made. Assuming that the SF300 wearing exactly what you did on the EMS.

    In addition, you mentioned that the EMS is autonomous, check again please. If you use port 24 or 48 so that in the stacking mode, these ports do not work.

    -Tom
    Please mark replied messages useful

  • Configuration of the Airport Extreme problem and Vigor 120

    Hi all

    This is the case, I have vigor installation 120 in Bridge mode with my airport extreme with settings pppoe settings of my ISP of vpi/vci: 8/35 pppoe/llc adsl2 + login and password, when the force as a router configuration, there worked perfectly, but in Bridge mode has managed to establish a PPPoE to pc but when the connection with the airport no luck I got an invalid ip address and orange light flashing.

    I have the latest in airport and vigor firmware and I'm doing a powecycle reboot after each change.

    Here are the settings in effect 120

    Any help would be more than welcome

    It's sad to say THAT PPPOE on the Apple is not reliable.

    I have the same problem... I can't use routers Apple with PPPOE on my modem in bridge... regardless of the brand.

    PPPOE is a bunch of variations... PAP or CHAP for example... and the number of... repeated attempts time between repetitions.

    Apple offers zero... whether it's no control... they are all available right now to find out what newspapers or.

    I had to simply replace the Apple router with another router... any other router seems to work fine... It's just the Apple that failed on me...

    I tried with several different Apple routers using all the old firmware, at latest... all fail. So I guess it's less coherent.

  • Possible to have the physical and virtual units of ESA in the same group?

    Given the scarcity of available information about virtual appliances, anyone have any ideas if it is possible to run a physical C160 and a C300V running the same version of ASyncOS in the same cluster.  I need to migrate from physical to virtual and has been evalualting the possbilty of the migration to the C300V from the C160 by adding a C300V to a cluster and then decommissioning the C160.

    Someone know about this?

    Thank you

    Nathan-

    Yes.  You can, as long as the appliance and virtual appliance running the same AsyncOS.  The "clusterconfig" command will work in the same exact way.  You need to just make sure that your C300V has the featurekeys loaded in order to run the cluster.

    -Robert

  • The configuration of the new MacBook Pro and HP C4780 wireless connectivity helps

    The MacBook Pro OS 10.6.3 so the CD that was included in the box of C4780 is should not be used.  I need to configure settings wireless in the printer.  Can I connect the printer via USB and it prints.  All the information that I have seen and read States to use the "Printer Setup Utility" for this, but I can't seem to find it.  All required HP software is upposed to be on the MAC under 10.6.  I'm relatively new to a MAC and I tried to look around to find the utility but don't have happen what it is.  The only utilities that I can find under 'Printers and faxes' and 'Options' for the C4780 are a number of requests for test pages, ink, supplies and other levels.  Can someone point out exactly where I find the Setup utility?

    OK, I did everything above, and does not now print.  I even reset the printer IP to the IP of origin just to try again and also now works.  My printing problem may have had more to do with resetting the print subsystem and then redefine the printer for the Mac.

    In any case, I'm now moving forward with other installation problems.  Thanks for the help and suggestions.

  • How to know the difference between RDM physical and virtual

    Hello!

    How can I see if a RDM (RAW device) is physical or virtual?

    I can see it in the vmx file or easily elsewhere?

    I have a few servers running both VMFS and RDM disks inside the virtual machine, and when you use ESX Ranger and make an instant backup, they are ignored to be backed up.

    Grateful for a response

    When you change the settings of the virtual machine and choose the RDM - there will be a radio button selected for the RDM mode, it is - it is really obvious. She'll be selected for the physical or virtual.

  • Configuration of the switch...

    Hi guys

    I'm including a basic network (grouping of NIC design) using two network adapters for all communication on some ESX 3.5

    my questions are:

    1 I kept any configuration especial on the physical predisposees as trunk? especially for vmni4 and vmni5?

    2. What is the NIC Teaming on ESX because I want the two active network cards: Load-balancing, failover network detection

    Please let me know what should I have in here

    Thank you very much

    Not exactly.  Aggregation of links work properly, make sure you use hash of intellectual property on the ESX vSwitch/portgroup config and src-dst-ip on your switch.  Without it, no 'load balancing' occurs.

    -KjB

  • Configuration of the switch of the NAC

    Hello!!

    I bought a NAC server and a manager of the NAC, to centrally manage the vlan where users connect to based on authentication.

    I have several sites, but the NAC server will be at Headquarters.

    When a remote user authenticates, NAC must configure the user switch port for the vlan right.

    What is an out-of-band solution?

    Do need me a specific license for out-of-band?

    Best of look,

    Miguel Amaral

    Hello

    It's the same pattern: Yo uneed 2 licenses, one for the CAM and the other for CAs.

    One cam sets the number of cases you can add.

    That case defines how many users is supported.

    So either the CASE PAK has been lost, or never bought.

    In both cases, you will need to contact the entitiy that sold devices and demand for the PAK CASE.

    HTH,

    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Shared memory is configured on the disk or physical RAM?

    Version: 11.2

    Platform: RHEL 6

    On Linux, we have put the following into /etc/sysctl.conf to set up shared memory.

    # 61 gb shared memory configuration

    kernel.shmmax = 65719476736

    Where this 61 GB of memory is allocated? The physical RAM or disk?

    Shared memory will be allocated RAM and may be subject to be paged out (written to disk).

    However, you should use huge pages, which are not subject to the paging or swapping.  (The value vm.nr_hugepages dans/etc/sysctl.conf.)

    In addition, setting kernel.shmmax allocates exactly zero bytes of shared memory.

    shmmax is the upper limit of the size of a single shared memory segment.  It is not actually assign * nothing *, though.

    He also, does * not * set a limit on the total amount shared memory that can be affected.  That is controlled by shmall.

    Hope that helps,

    -Mark

  • Configuration of the network adapters physical vSwitches

    Hello! I am currently in operation 1 Server ESXi 4.1, a switch Dell PowerConnect 2708 (8 ports) and 2 vSwitches.

    My question is this:

    Why don't my ESXi / vCenter server detects the physical or the various Dell switch ports? I can only see 1 physical adapter that is my card physical BroadCom that is installed on the physical server ESXi. From what I've studied, I've seen users ESXi / vCenter Server able to detect at least 1 or 2 cards physical on their Cisco switches.

    Is the problem the manufacturer? Dell or Cisco? I can only now see 2 physical network adapters on my server vCenter Server "vmnic0" which is upward and enforcement connected to my main switch which has to internet access. And "vmnic32" under "Gigabit Ethernet PCIe" which is down and waiting, which I'm unable to set up at all.

    I just need 1 physical adapter to connect to my newly created another vSwitch. Please give helpful suggestions! Thank you!!!

    The Dell switch must support CDP, if it is not, you will not see any information on the Dell switch - two NETWORK ports are pligged of network cables?

    If you find this or any other answer useful please consider awarding points marking the answer correct or useful

  • No menu item of the Security Configuration on the switch of the device for ExternalEmbeddedDevice

    Despite the use of NullAuthenticationProvider works as expected, I would try to sign a request (minimum profile) and deploy it in my RaspberryPi, but according to guide installation and Applications running on the Pi Board of raspberry , I'm stuck in the method #1, Point 8, since in the window selector device whenever I do a right-click on EmbeddedExternalDevice no article "Security Configuration... '. "is displayed in the context menu. Of these elements is frequently seen by the same operation on other devices (EmbeddedDeviceX and Qualcom_IoE_Device).

    Any idea?

    It seems a manual edit of _policy.txt is only an option for the RPi. The documentation is not in this part. EmbeddedDeviceX and Quacomm_IoT_Device are the emulators where all configuration files are on local and accessible file system since SDK.Netbeans.

  • Need help with Windows 8 Configuration of the updates to fail and return


    I solved the problem by doing this...

    I have disabled the start secure in the bios, reformat the computer through the partition to restore by using the 'Minimized Image' option, disabled the automatic updates, manually downloaded KB2871389 and KB2917499 and installed, then ran the troubleshooting of Windows Update, and it then allowed me to start the download from the Microsoft Store wihtout 8.1 get updated which were needed for Win8. As I type this 8.1 is the installation. I cross my fingers and hope it works. I have WAY too much time invested is this crazy situation. Microsoft is getting worse day by day.

  • Profile of user configuration / synchronize the profile between client and Server version

    We customize our domain (Windows 2008 R2). The domain user should have an opportunity to work as a local user and domain user. Profiles should be synchronized every time if the user is in the intranet. We have the following goals

    1 setting up a user profile to domain (Server version) for Windows XP, Vista and Windows 7

    2 coordinate the profiles of local with domain profiles

    Thank you very much for your support.

    HELMAT Amin

    You won't find many people who know the servers in a Windows Vista newsgroup. Best to find one of the newsgroups server TechNet or MSDN and after this kind of issue areas here.

    'helmat' wrote in the new message: * e-mail address is removed from the privacy... *

    We customize our domain (Windows 2008 R2). The domain user should have an opportunity to work as a local user and domain user. Profiles should be synchronized every time if the user is in the intranet. We have the following goals

    1 setting up a user profile to domain (Server version) for Windows XP, Vista and Windows 7

    2 coordinate the profiles of local with domain profiles
    Thank you very much for your support.

    HELMAT Amin

  • Proved the practical suggestion: physical to virtual (P2V) migration preparation and success - a guide to the real world experience.

    (Current and evolving paper)

    I propose to publish a paper on the key factors to do a P2V project run as smooth as possible and complete timely. The reason? According to me, there is a gap in the confidence of the SMB in the start-up of an operation of codification (in any form) of a Virtual Infrastructure.

    The document is not intended to be a step by step guide but to contain the following topics: by commercial considerations, operational requirements, review, target, during Migration, Communication tools and procedures P2V environment.

    This publication will be sprinkled with real-world examples of how a general text book approach doesn't always work with pointers on how to opt out of the most common misconceptions.

    Two high-pressure and successful migration (a merger and a disaster recovery / business continuity gap) will be the basis of the experience I'll shoot of.

    Comments and thoughts are valued for:

    The...

    (1) target audience.

    (2) the structure.

    (3) the style of output.

    (4) the notice of application for this document.

    Kind regards

    Darren.

    BUZZ!

Maybe you are looking for