Running Snort on Hyper-V

Question

After spinning up a VM for Snort (actually BT5..) and starting snort, I'm getting numerous of these:

SNMP Public Access udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.1.50.61097 -> 192.168.1.47:161"

Where the .50 address is the server, and the .47 adderss is the BT5 box.

I'm guessing this is because the Snort box is running as a VM on Hyper-V using the Virtual Network Adapter, and it has to do with the traffic in use by the VM and the hypervisor. Sadly, this is not Server 2012 with the cool new port mirroring feature, it is Server 2008R2.

I'm not a whiz at snort rules and so far can't find any decent answers as to how to create a snort rule to ignore this UDP traffic between these two endpoints.

Can you help me out?

Answer 1

Give Configuring Virtual Networks a read, namely the following:

Use this type when you want to provide virtual machines with access to a physical network to communicate with externally located servers and clients. This type of virtual network also allows virtual machines on the same virtualization server to communicate with each other. This type of network may also be available for use by the management operating system, depending on how you configure the networking.

When you say "the .50 address is the server", I am assuming you mean the Hyper-V server. It is very likely that the Hyper-V server is configured with a either a dedicated External NIC or that the NIC that has been connected to the same External Virtual Switch that your BackTrack install is using has been selected for Management Traffic ('Allow management traffic to share network adapter' has been selected).

In either case you are seeing traffic from the parent partition on that Hyper-V server on your guest. This is probably OK and by design.

It has been a while before I have worked with Snort but you should be able to ignore all the TCP and UPD traffic with something like this:

pass tcp 192.168.1.50 any -> any any;
pass udp 192.168.1.50 any -> any any;