IDS on VM , cant see alla traffic only BUM and dst to self mac

P

PmUserZFS

Renowned Member
Feb 2, 2018
144
9
83
I got a vm that is untagged, in the vm I have set the tap nic to prom.

1749114573157.png


but I still only get BUM from all vlans though.
proxmox network is a standard OVS bridge.

someone the host only get the frames destined to its mac and BUM. no prom traffic/all traffic.

any input?
 
You have to enable promiscous mode on the bridge too. The guest does not control promiscuous mode on the host.

https://docs.openvswitch.org/en/latest/faq/configuration/

J

[TUTORIAL] Thread 'Proxmox + Security Onion without OVS'

Since there is a complete lack of SPAN/Mirror examples using Linux Bridges into Security Onion, I thought I'd post what got working.... Also is an example using multiple bridge mirrors, which is discussed but never actually shown anywhere.

Disclaimer, I am still in the very early stages of setting up a home security lab. So, I may eventually switch to OVS like everyone else, but I didn't want to redo my whole network configuration and I honestly hate the CLI syntax of OVS. I've been using Proxmox for about 2 weeks. So, there are random IDK, correct me if I am wrong parts, but I would...
  • Like
 
Last edited:
  • Like
Reactions: UdoB
guruevi said:
You have to enable promiscous mode on the bridge too. The guest does not control promiscuous mode on the host.

https://docs.openvswitch.org/en/latest/faq/configuration/

J

[TUTORIAL] Thread 'Proxmox + Security Onion without OVS'

Since there is a complete lack of SPAN/Mirror examples using Linux Bridges into Security Onion, I thought I'd post what got working.... Also is an example using multiple bridge mirrors, which is discussed but never actually shown anywhere.

Disclaimer, I am still in the very early stages of setting up a home security lab. So, I may eventually switch to OVS like everyone else, but I didn't want to redo my whole network configuration and I honestly hate the CLI syntax of OVS. I've been using Proxmox for about 2 weeks. So, there are random IDK, correct me if I am wrong parts, but I would...
  • Like
Click to expand...
Hi, yes OVS is prom by default, and tou can see that on my suppiled screenshot of vmbr1, prom=1
 
The tap interface on the host is already set to promiscuous, but the bridge won't forward all packets to that port (only according to the fdb of the bridge). Setting the bridge itself to promiscuous won't help either since then only the host will receive all packets from that bridge.

You need to either use OVS and define a SPAN port [1] there or use the tc solution linked in the previous post. Both methods will require you to have a IDS VM running on each host, since it only works for traffic on that local bridge - not in the whole network. There's some discussion about implementing port mirroring (locally or even across multiple nodes) going on here [2], if you want to chime in.

[1] https://docs.openvswitch.org/en/latest/faq/configuration/
[2] https://bugzilla.proxmox.com/show_bug.cgi?id=6150
 
shanreich said:
The tap interface on the host is already set to promiscuous, but the bridge won't forward all packets to that port (only according to the fdb of the bridge). Setting the bridge itself to promiscuous won't help either since then only the host will receive all packets from that bridge.

You need to either use OVS and define a SPAN port [1] there or use the tc solution linked in the previous post. Both methods will require you to have a IDS VM running on each host, since it only works for traffic on that local bridge - not in the whole network. There's some discussion about implementing port mirroring (locally or even across multiple nodes) going on here [2], if you want to chime in.

[1] https://docs.openvswitch.org/en/latest/faq/configuration/
[2] https://bugzilla.proxmox.com/show_bug.cgi?id=6150
Click to expand...
ah, thnx! Ill look into the span thing
 
You must log in or register to reply here.
Top Bottom
Back