Hi

i'm trying to detect attacks being generated from inside my network coming from one of my UML virtual machines for various reasons.

I'm writing a Perl script which monitors snort log files for new alerts. when an alert is found i identify the source IP and the action which i'm going to take. For instance, a UDP flood will result in the VM being halted thus the user kicked off the server.

The problem I'm having is identifying the process ID of the UML guest. I'm hoping there is some way of associating the ID of a guest with its IP address?


Host OS: Jaunty
Guest OS: Intrepid

Here is the console output when I start the guest:

Code:
billy@billy-desktop:~/uml$ sudo ./linux ubda=ubuntu-ext3-2gb-root.fs mem=256M eth0=tuntap,,,192.168.2.183
[sudo] password for billy: 
Locating the bottom of the address space ... 0x0
Locating the top of the address space ... 0xc0000000
Core dump limits :
	soft - 0
	hard - NONE
Checking that ptrace can change system call numbers...OK
Checking syscall emulation patch for ptrace...OK
Checking advanced syscall emulation patch for ptrace...OK
Checking for tmpfs mount on /dev/shm...OK
Checking PROT_EXEC mmap in /dev/shm/...OK
Checking for the skas3 patch in the host:
  - /proc/mm...not found: No such file or directory
  - PTRACE_FAULTINFO...not found
  - PTRACE_LDT...not found
UML running in SKAS0 mode
Adding 14290944 bytes to physical memory to account for exec-shield gap
Linux version 2.6.29.1 (billy@billy-desktop) (gcc version 4.3.3 (Ubuntu 4.3.3-5ubuntu4) ) #1 Tue May 5 21:27:03 BST 2009
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 68485
Kernel command line: ubda=ubuntu-ext3-2gb-root.fs mem=256M eth0=tuntap,,,192.168.2.183 root=98:0
PID hash table entries: 2048 (order: 11, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 255360k available
Calibrating delay loop... 1730.15 BogoMIPS (lpj=8650752)
Mount-cache hash table entries: 512
Checking for host processor cmov support...Yes
Checking that host ptys support output SIGIO...Yes
Checking that host ptys support SIGIO on close...No, enabling workaround
net_namespace: 520 bytes
Using 2.6 host AIO
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
TCP established hash table entries: 16384 (order: 5, 131072 bytes)
TCP bind hash table entries: 16384 (order: 4, 65536 bytes)
TCP: Hash tables configured (established 16384 bind 16384)
TCP reno registered
NET: Registered protocol family 1
IRQ 9/mconsole: IRQF_DISABLED is not guaranteed on shared IRQs
mconsole (version 2) initialized on /home/billy/.uml/gmXWqv/mconsole
Checking host MADV_REMOVE support...OK
Host TLS support detected
Detected host type: i386 (GDT indexes 6 to 9)
VFS: Disk quotas dquot_6.5.2
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
msgmni has been set to 498
io scheduler noop registered
io scheduler anticipatory registered (default)
io scheduler deadline registered
io scheduler cfq registered
TCP cubic registered
NET: Registered protocol family 17
Initialized stdio console driver
Console initialized on /dev/tty0
console [tty0] enabled
Initializing software serial port version 1
console [mc-1] enabled
 ubda: unknown partition table
Choosing a random ethernet address for device eth0
Netdevice 0 (92:c8:5e:91:36:9f) : <6>TUN/TAP backend - IP = 192.168.2.183
eth0 (uml-netdev): not using net_device_ops yet
kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
VFS: Mounted root (ext3 filesystem) readonly on device 98:0.
IRQ 3/console-write: IRQF_DISABLED is not guaranteed on shared IRQs
IRQ 2/console: IRQF_DISABLED is not guaranteed on shared IRQs
IRQ 10/winch: IRQF_DISABLED is not guaranteed on shared IRQs
IRQ 10/winch: IRQF_DISABLED is not guaranteed on shared IRQs
 * Setting preliminary keymap...                                                /etc/default/console-setup: 7: D: not found
/etc/default/console-setup: 8: D: not found
/etc/default/console-setup: 9: C: not found
/etc/default/console-setup: 10: C: not found
IRQ 13/xterm: IRQF_DISABLED is not guaranteed on shared IRQs
IRQ 2/console: IRQF_DISABLED is not guaranteed on shared IRQs
IRQ 3/console-write: IRQF_DISABLED is not guaranteed on shared IRQs
IRQ 10/winch: IRQF_DISABLED is not guaranteed on shared IRQs
Couldnt get a file descriptor referring to the console
Use of uninitialized value $x in scalar assignment at /usr/share/perl/5.10/utf8_heavy.pl line 242.
Use of uninitialized value $x in pattern match (m//) at /usr/share/perl/5.10/utf8_heavy.pl line 243.
Use of uninitialized value $uni in pattern match (m//) at /usr/bin/ckbcomp line 3109.
Use of uninitialized value $uni in pattern match (m//) at /usr/bin/ckbcomp line 3109.
                                                                         [ OK ]
 * Setting the system clock
Cannot access the Hardware Clock via any known method.
Use the --debug option to see the details of our search for an access method.
 * Unable to set System Clock to: Wed May  6 12:42:39 UTC 2009
 * Starting basic networking...                                          [ OK ] 
 * Starting kernel event manager...                                      [ OK ] 
 * Loading hardware drivers...                                           [ OK ] 
 * Setting the system clock
Cannot access the Hardware Clock via any known method.
Use the --debug option to see the details of our search for an access method.
 * Unable to set System Clock to: Wed May  6 12:42:41 UTC 2009
 * Loading kernel modules...                                                     * Loading manual drivers...                                             [ OK ] 
 * Setting kernel variables (/etc/sysctl.conf)...                        [ OK ] 
 * Setting kernel variables (/etc/sysctl.d/10-console-messages.conf)...  [ OK ] 
 * Setting kernel variables (/etc/sysctl.d/10-network-security.conf)...  [ OK ] 
 * Setting kernel variables (/etc/sysctl.d/10-process-security.conf)...         error: "kernel.maps_protect" is an unknown key
error: "vm.mmap_min_addr" is an unknown key
                                                                         [fail]
 * Setting kernel variables (/etc/sysctl.d/10-tcp-timestamps-workaround.conf)...                                                                         [ OK ] 
 * Activating swap...                                                    [ OK ] 
 * Checking root file system...                                                 fsck 1.41.3 (12-Oct-2008)
/dev/ubda: clean, 10656/131072 files, 90420/524288 blocks (check in 4 mounts)
                                                                         [ OK ]
 * Checking file systems...                                                     fsck 1.41.3 (12-Oct-2008)
                                                                         [ OK ]
 * Mounting local filesystems...                                         [ OK ] 
 * Activating swapfile swap...                                           [ OK ] 
 * Configuring network interfaces...                                     [ OK ] 
 * Starting system log daemon...                                         [ OK ] 
 * Starting kernel log daemon...                                         [ OK ]
Are there any UML experts which might know how?

Thanks!