Can Snort monitor multiple VLANs in a VM (in ESX4.0 environment)?

I am new to Snort, I followed the instructions on this url:
All went well, Snort is running well and I am having many Snort alerts in the BASE and terminal.

Snort and Barnyard2 in Ubuntu 9.10 is running on My Accer box with dual core Intel CPU @1.86 GHZ, 80G HD.

There is only one 10/100 NIC on my Accer box, so monitoring and management
 are on the same interface. Snort is monitoring only one VLAN (VLAN1) at moment.

Now I would like to use Snort to monitor multiple VLANs, e.g. VLAN 1, VLAN 20 etc, so I converted my Accer-Ubuntu-Snort box into a VM in our ESX4.0 environment, I created two additional NICs on the VM, now there are three  NICs;:NIC1 is for management on VLAN1, NIC2 is for monitoring on VLAN1, and NIC3 is for monitoring on VLAN20.

After lots of “Google”, I have found the following post from Barry (in 2005) is really relevant to my case:

I have got the idea, but it’s still hard for me to follow the actual “HOW TO” steps. I  don’t expect anyone to do “baby-sitter” on Snort, despite Barry did a very good “case study”, but I would like to have some extra info regarding the files, locations, what, how etc (just like the first url link above from Bil) for the Snort dummy like me.

I would like to have the followings:
1.) How to setup the management interface separately from the monitoring interface?
2.) How to setup two instances of Snort and Barnyard to monitor two VLANs on one VM?

* Network ports (for ESX 4.0 machines) on switch are configured in the followings:
•      hybrid link type
•      with VLAN 1, VLAN 20 tagged, and
•      the hybrid PVID is VLAN20.

Any information and help would be much appreciated.

Many thanks in advance.


Who is Participating?
mbsadmin1Connect With a Mentor Author Commented:
The answer for this question is the following:

Use Distributed Virtual switch on our ESX 4.1 enviroment, which makes inline IPS/ IDS become possible in a virtual enviroment.
Alex GalbraithSolutions ArchitectCommented:
I believe for this you have two options, both of which start by trunking all VLANs from your switch to the physical NIC. Then:

1. Create one port group per VLAN, and one vNIC per VLAN, assigning all vNICs to your VM. Then get your app to monitor traffic on all NICs which are assigned to it.

2. Create a single port group with VLAN tag 4095 (with one vNIC assigned to the VM), which effectively allows all ports through on that vNIC, like trunking. You then configure everything on the VM in the same way you would on a physical server.
mbsadmin1Author Commented:
to jkagalbraith: Thanks for the info, it's much appreciated. I am still not sure how to port span (mirroring) would work on a VM enviroment.

Please give me a bit more details of "How" and "procedures" .

Many thanks in advance.


mbsadmin1Author Commented:
This is the key ponit to ISP/IPS in virtual enviroment.
All Courses

From novice to tech pro — start learning today.