This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-users] Snort monitoring of Xen guests

To: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>, "Mark Chandler" <mcl@xxxxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Snort monitoring of Xen guests
From: "Nick Couchman" <Nick.Couchman@xxxxxxxxx>
Date: Tue, 29 Apr 2008 07:32:44 -0600
Delivery-date: Tue, 29 Apr 2008 06:33:24 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Well, I'm not familiar with SNORT, but you can tcpdump on a bridge interface, 
so I don't know why snort wouldn't work.  This should allow you to pick up all 
traffic that goes across the bridge.


>>> On Tue, Apr 29, 2008 at  6:45 AM, "James Harper" 
>>> <james.harper@xxxxxxxxxxxxxxxx> wrote:

>  From another post on this list, it seems that the only way to monitor
> all traffic to guests in a host is to bind to the peth interface that
> bound to the bridge that serves the guests.

That will only catch traffic that goes via peth. Anything from DomU to
DomU will be missed. That is probably acceptable though if you are only
interested in traffic from external to DomU.

I don't think there is an option in the Linux bridge code to have a
'mirror' port that sees everything, unless maybe you can run snort on
the xenbrX interface itself?


This e-mail may contain confidential and privileged material for the sole use 
of the intended recipient.  If this email is not intended for you, or you are 
not responsible for the delivery of this message to the intended recipient, 
please note that this message may contain SEAKR Engineering (SEAKR) 
Privileged/Proprietary Information.  In such a case, you are strictly 
prohibited from downloading, photocopying, distributing or otherwise using this 
message, its contents or attachments in any way.  If you have received this 
message in error, please notify us immediately by replying to this e-mail and 
delete the message from your mailbox.  Information contained in this message 
that does not relate to the business of SEAKR is neither endorsed by nor 
attributable to SEAKR.

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>