Can Snort monitor multiple VLANs in a VM (in ESX4.0 environment)?

I am new to Snort, I followed the instructions on this url:
All went well, Snort is running well and I am having many Snort alerts in the BASE and terminal.

Snort and Barnyard2 in Ubuntu 9.10 is running on My Accer box with dual core Intel CPU @1.86 GHZ, 80G HD.

There is only one 10/100 NIC on my Accer box, so monitoring and management
 are on the same interface. Snort is monitoring only one VLAN (VLAN1) at moment.

Now I would like to use Snort to monitor multiple VLANs, e.g. VLAN 1, VLAN 20 etc, so I converted my Accer-Ubuntu-Snort box into a VM in our ESX4.0 environment, I created two additional NICs on the VM, now there are three  NICs;:NIC1 is for management on VLAN1, NIC2 is for monitoring on VLAN1, and NIC3 is for monitoring on VLAN20.

After lots of “Google”, I have found the following post from Barry (in 2005) is really relevant to my case:

I have got the idea, but it’s still hard for me to follow the actual “HOW TO” steps. I  don’t expect anyone to do “baby-sitter” on Snort, despite Barry did a very good “case study”, but I would like to have some extra info regarding the files, locations, what, how etc (just like the first url link above from Bil) for the Snort dummy like me.

I would like to have the followings:
1.) How to setup the management interface separately from the monitoring interface?
2.) How to setup two instances of Snort and Barnyard to monitor two VLANs on one VM?

* Network ports (for ESX 4.0 machines) on switch are configured in the followings:
•      hybrid link type
•      with VLAN 1, VLAN 20 tagged, and
•      the hybrid PVID is VLAN20.

Any information and help would be much appreciated.

Many thanks in advance.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex GalbraithSolutions ArchitectCommented:
I believe for this you have two options, both of which start by trunking all VLANs from your switch to the physical NIC. Then:

1. Create one port group per VLAN, and one vNIC per VLAN, assigning all vNICs to your VM. Then get your app to monitor traffic on all NICs which are assigned to it.

2. Create a single port group with VLAN tag 4095 (with one vNIC assigned to the VM), which effectively allows all ports through on that vNIC, like trunking. You then configure everything on the VM in the same way you would on a physical server.
mbsadmin1Author Commented:
to jkagalbraith: Thanks for the info, it's much appreciated. I am still not sure how to port span (mirroring) would work on a VM enviroment.

Please give me a bit more details of "How" and "procedures" .

Many thanks in advance.


mbsadmin1Author Commented:
The answer for this question is the following:

Use Distributed Virtual switch on our ESX 4.1 enviroment, which makes inline IPS/ IDS become possible in a virtual enviroment.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mbsadmin1Author Commented:
This is the key ponit to ISP/IPS in virtual enviroment.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.