RE: [Xen-users] Snort monitoring of Xen guests

To:	"Mark Chandler" <mcl@xxxxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject:	RE: [Xen-users] Snort monitoring of Xen guests
From:	"James Harper" <james.harper@xxxxxxxxxxxxxxxx>
Date:	Tue, 29 Apr 2008 22:45:27 +1000
Delivery-date:	Tue, 29 Apr 2008 05:46:02 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
In-reply-to:	<48140D9D.4060207@xxxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<48140D9D.4060207@xxxxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index:	AcioJuutdhM4SyLRR4WsXjaqOr31YgBz4ZRA
Thread-topic:	[Xen-users] Snort monitoring of Xen guests

>  From another post on this list, it seems that the only way to monitor
> all traffic to guests in a host is to bind to the peth interface that
is
> bound to the bridge that serves the guests.

That will only catch traffic that goes via peth. Anything from DomU to
DomU will be missed. That is probably acceptable though if you are only
interested in traffic from external to DomU.

I don't think there is an option in the Linux bridge code to have a
'mirror' port that sees everything, unless maybe you can run snort on
the xenbrX interface itself?

James

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

WARNING - OLD ARCHIVES

xen-users

RE: [Xen-users] Snort monitoring of Xen guests