This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-users] Snort monitoring of Xen guests

To: "Mark Chandler" <mcl@xxxxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Snort monitoring of Xen guests
From: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>
Date: Tue, 29 Apr 2008 22:45:27 +1000
Delivery-date: Tue, 29 Apr 2008 05:46:02 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <48140D9D.4060207@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <48140D9D.4060207@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcioJuutdhM4SyLRR4WsXjaqOr31YgBz4ZRA
Thread-topic: [Xen-users] Snort monitoring of Xen guests
>  From another post on this list, it seems that the only way to monitor
> all traffic to guests in a host is to bind to the peth interface that
> bound to the bridge that serves the guests.

That will only catch traffic that goes via peth. Anything from DomU to
DomU will be missed. That is probably acceptable though if you are only
interested in traffic from external to DomU.

I don't think there is an option in the Linux bridge code to have a
'mirror' port that sees everything, unless maybe you can run snort on
the xenbrX interface itself?


Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>