Deploying Security Onion / Proxmox Port mirroring

D

Dazz

New Member
Sep 19, 2017
2
0
1
31
Hi,

Im trying to mirror traffic from physical ethernet port to a Virtual Machine's virtual network card.

My setup is as following:

Proxmox

1. Physical interface enp3s0 ------> linuxbridge (vmbr0)
2. Physical interface enp4s0 ------> linuxbridge (vmbr1)

I added a new VM (Security Onion)

Assigned vmbr0 to VM (Security Onion)
Assigned vmbr1 to VM (Security Onion)


Configured vmbr0 within Security Onion as management interface
Configured vmbr1 within Security Onion as monitoring (capturing) interface (*connected the physical interface with the switch port where data is being mirrored)

The problem is that the traffic is not showing into the (Sguil,Elsa,Squert)

Is there any way to mirror traffic from physical network card to a virtual one ?

Thanks...
 
The vmbrX interfaces are linux bridges and can't mirror traffic, you can configure it to act like a hub. As Proxmox has a debian 9 underneath, you can also use other linux tools, like tc, to achieve your goal.
 
Hi Alwin,

How can i configure proxmox interface to act as a hub? I have never used tc before, can you help me on this ? Thank you for your response
 
If you configure the bridge to be a hub, then all traffic going into that bridge will be forwarded to all connected ports on that bridge. So all VMs will see the same traffic. This is maybe not what you want.
https://techglimpse.com/convert-linux-bridge-hub-vm-interospection/

With tc you can controll where to forward mirrored traffic too.
http://lartc.org/manpages/tc.txt
https://www.systutorials.com/docs/linux/man/8-tc-mirred/

With those links provided, this is a very specific setup and may need some trail and error. There might be someone on the forum that has some experience with it.

For a easier setup, you have usually a gateway/firewall that the traffic passes through and that has either the tools for IDS/IPS on board or is capable of mirroring traffic.
 
  • Like
Reactions: ahhashem
I was looking to build something similar using traffic from a physical tap. I have been trying to figure how to get all traffic to my Suricata VM the last couple days. I have found a solution that might help you as well. My solution is exceedingly non-elegant, and likely isn't proper, but it works to some extent.

Current Configuration:
In my /etc/network/interfaces I have:

Code: 
auto eno4
iface eno4 inet manual
    up link set $IFACE up
    up link set $IFACE promisc on

For the NIC itself where my tapped traffic comes in and:

Code: 
auto vmbr8
iface vmbr8 inet manual
    bridge_ports eno4
    bridge_stp off
    bridge_fd 0
    bridge_ageing 0
    up ip link set $IFACE up
    up ip link set $IFACE promisc on

For the bridge to my monitoring VM.

This seems to work for the time being. I'm not sure if setting all the interfaces in promiscuous mode matters or not, but I don't feel like changing the file yet. I'm going to see if I can verify that packets aren't getting lost. Hopefully this helps!
 
Is it possible to setup a host only network for monitoring? I havent tried it but the config below should setup host only on vmbr1.

Code: 
auto vmbr1
iface vmbr1 inet static
        bridge_ports none
        bridge_stop off
        bridge_fd 0

Which fails on a host because vmbr1 is not active
 
Last edited:
morph027 said:
I'm using daemonlogger as soft-tap to mirror traffic from one port/bridge to another sometimes.
Click to expand...

Hi,
Do you have some explanation on how you are doing?

On my side, I've add a vmbr to my /etc/network/interfaces as follow:

auth vmbr3
iface vmbr3 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0

Now, If doing "daemonlogger -i vmbr0 -o vmbr3", the answer is :
sniffing on interface vmbr0
ERROR: init_retrans() eth_open failed
Fatal Error, Quitting..

Any idea?
 
Huh, quite a long time ago i was using this. I'm not sure if i used the interfaces directly, not the bridge. So something like -i enoX (a slave of vmbr0) and -o tapXXXi0 (the interface of the VM)
 
morph027 said:
Huh, quite a long time ago i was using this. I'm not sure if i used the interfaces directly, not the bridge. So something like -i enoX (a slave of vmbr0) and -o tapXXXi0 (the interface of the VM)
Click to expand...
FYI this still works just fine today on a fresh install.

-d daemonizes the process
 
  • Like
Reactions: morph027
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back