WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Snort monitoring of Xen guests

To: Mark Chandler <mcl@xxxxxxxxxxx>
Subject: Re: [Xen-users] Snort monitoring of Xen guests
From: John Haxby <john.haxby@xxxxxxxxxx>
Date: Mon, 28 Apr 2008 10:30:47 +0100
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 28 Apr 2008 02:32:28 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <48140D9D.4060207@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <48140D9D.4060207@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.12 (X11/20080226)
Mark Chandler wrote:
Hi all,

From another post on this list, it seems that the only way to monitor all traffic to guests in a host is to bind to the peth interface that is bound to the bridge that serves the guests. Is this the only way of doing it? Ideally, I'd like to have one guest running Snort that monitors everything else.
ebtables is probably your friend.   Something like

   ebtables -t broute -A BROUTING -s <dom0 MAC> -j ACCEPT
   ebtables -t broute -A BROUTING -d <dom0 MAC> -j ACCEPT
   ebtables -t broute -A BROUTING -s <domU MAC> -j ACCEPT
   ebtables -t broute -A BROUTING -d <domU MAC> -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp -j dnat --to-dst <domU MAC> --dnat-target ACCEPT

Where <domU MAC> is the MAC address of the guest you want to run snort on. The first four rules ensure that traffic from dom0 and the monitoring domU pass unimpeded through the bridge, the last rule redirects all traffic TCP traffic to or from any other guest through the monitoring domU.

Of course, it doesn't have to be a domU on this machine, it can be any machine, virtual or otherwise, on the LAN since you're just redirecting traffic at the layer 2 level. You'll probably want to do more with the last rule as well, as you'll probably want some (or all) UDP traffic redirected to the monitor but you might want to draw the line at ICMP, ARP and Appletalk :-)

jch

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>