0

I have installed two physical machines with KVM virtualization using Red hat as OS ( h1 and h2). In h1 I have installed the virtual machines w1 and db1 and in h2 the virtual machines w2 , db1 and ids. The virtual machine ids contain snort as IDS system. After the installation i ran the command:

brctl setageing br0 0

in order to permit snort sniff the network traffic but only is passing the traffic related with the physical machine h2 which is the Host the snort machine but nothing related with machine h1 and their virtual Guests.

Is possible with snort installed in a KVM virtual machine detect the traffic of the rest of machines in the network or only can detect the traffic of the machines sharing the same bridge?

thanks

Emilio Macias
  • 109
  • 1
  • 3

1 Answers1

0

The switch your two physical machines are plugged into will itself be learning what ports to send traffic down so it will have learnt that there's no point sending traffic destined for anything residing on host h1 down the port where host h2 is connected.

Look at configuring a span or mirror port on your switch, this allows you to configure a dedicated port that will receive copies of trafic on other marked ports (the ports connected to h1 & h2). You then need to attach that dedicated port to your ids VM.

bodgit
  • 4,661
  • 13
  • 26
  • The "switch" here is a Linux bridge. As far as I can tell it does not support port mirroring. – Michael Hampton Dec 19 '14 at 15:42
  • The question implies that there is more than one bridge given the ids VM can see traffic from the other two co-located VM's attached to the "same" bridge, implying there's "another" bridge somewhere. I therefore assumed there's simply a bridge on each physical machine to get the VM's attached to the network. While you /could/ join both physical machines with another bridge, it seems far more likely for there to be a switch instead, complete with it's own forwarding table. – bodgit Dec 19 '14 at 16:23