WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Re: Snort on domU

* fajar@xxxxxxxxx [2009-06-26 16:56:40]
> On Fri, Jun 26, 2009 at 5:09 PM, David Edmondson<dme@xxxxxxx> wrote:
>> * dot.yet@xxxxxxxxx [2009-06-25 23:08:41]
>>> Can anyone confirm if a xen based domU can be used for snort setup? It is
>>> not for commercial use, rather just SOHO use.
>>
>> You can run snort in a guest, but it won't see all of the traffic from
>> the wire.
>>
>> It gets:
>>    - traffic to its' MAC address,
>>    - traffic with the multicast bit set in the destination address.
>>
>
> ... and how is this different from a physical server, connected to a
> switch? Won't the switch filter out packets not intended for mac
> addresses on a particular port?

Most switches do this, yes. In that case it's usually possible to put a
switch port into monitor mode, which means that it gets all
packets. This isn't currently possible with the Solaris VNIC
implementation.

dme.
-- 
David Edmondson, Sun Microsystems, http://dme.org

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users