Has anyone configured SecurityOnion for Proxmox/KVM?

C

ctlister

New Member
Nov 8, 2021
7
0
1
35
So I added the two virtual NICs as required by SecurityOnion (one is a sniffer interface and another is a management interface).

Screenshot (345).png


But when I get to the network configuration page I get this error.

Screenshot (344).png


I believe the problem is that Proxmox is automatically assigning IP addresses via DHCP to the net0 and net1 interfaces. I do not want it to do that. I want static IP addresses that can sniff the local LAN for malware traffic. I am aware that Proxmox automatically gives out a IP address on the local LAN subnet, but this error I see in SecurityOnion is cryptic.

It can either be (A) Proxmox automatic DHCP has to be disabled for the guest or (B) Somehow SecurityOnion does not like Proxmox's management IP.

This is my first day running Proxmox, ever. So I am pretty new to this. Since I find little how-to guides or documentation on the official https://github.com/Security-Onion-Solutions/securityonion/discussions discussions board, I will keep experimenting until I find a answer or if someone can post me a comprehensive walkthrough on how to get this working.

All I see on the internet is lousy VirtualBox Guides. I am completely done with Type 2 Hypervisors, that's why I installed Proxmox and that's why I am determined to make this work, since SecurityOnion with a ton of resources allocated to it on a Type 1 Hypervisor is the most efficient way to make it work.
 
To disable DHCP for the Security Onion VM, expand Firewall, the click on Options > DHCP > Edit (alternatively, you can double click on DHCP under Options) > then uncheck DHCP

1637920679089.png

I hope that helps.
 
  • Like
Reactions: ctlister
Hello! I configured SO a week ago and I was spending time monitoring alerts and monitoring my family's devices and trying out Red/Blue team exercises on TryHackMe, HackTheBox, and VirtualHackingLabs, but I just found this post again in my email.

I put together a writeup for configuring SecurityOnion specifically for PVE. https://xringarchery.wordpress.com/2021/12/21/installing-securityonion-on-proxmox-ve/

My build involved bonding interfaces eno1 + eno2, giving eno3 to SO's sniffer, and eno4 to my Plex media server for zero-lag streaming to my Chromecast.

I actually recommend AT LEAST twice as much resources as recommended for SO, for any build including Type 2 Hypervisors like VirtualBox and VMWare Workstation. The reason being is that I tested a Cobalt Strike Beacon running the Zeus banking trojan Malleable C2 Profile, and after I shut down the teamserver on the LAN, it began connecting to broadcast range, causing my SO setup to flood with alerts (although for some reason none of the default playbooks can detect Zeus or a Beacon/Geacon mimicking Zeus), that I eventually hunted down with Kibana. My server spun up like crazy after it was allocated 8 logical cores and 24GB of RAM.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back