Network Sensor (monitor session - promiscuous)

KNM

New Member
Nov 2, 2017
1
0
1
46
scenario:
PROXMOX on physical HW with two virtual network devices defined (vmbr0, vmbr1)

vmbr0 is bridged to physical adapter eno1 as management interface and has static IP

vmbr1 is bridged to physical adapter enp3s0 and has no IP configured, connected to cisco monitor session port

using tcpdump -i vmbr1 on the PROXMOX machine I can see all the traffic on the monitor port

using tcpdump on a guest machine -i eth1 (connected to vmbr1) (CT or VM) I only see broadcast traffic.

I have found the note about bridge_ageing 0 and tried that with no success.

Anyone out there using a network sensor (OSSIM/SNORT/TCPDUMP) as a gust machine on PROXMOX?
 
Greetings; this is my first post in this community. I also use OSSIM (and Wireshark), and initially, promiscuous mode did not work. In order to help anyone else with the same issue (I know it's an old thread), here is my /etc/network/interfaces file:

Code:
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage part of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto enp0s31f6
iface enp0s31f6 inet manual
mtu 9000
up ifconfig $IFACE promisc

auto enp4s0f0
iface enp4s0f0 inet manual
up ifconfig $IFACE promisc

iface enp4s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
    address  10.0.0.5
    netmask  255.255.255.0
    gateway  10.0.0.1
    bridge-ports enp0s31f6
    mtu 9000
    bridge-stp off
    bridge-fd 0
    bridge_ageing 0

auto vmbr1
iface vmbr1 inet manual
    bridge-ports enp4s0f0
    bridge-stp off
    bridge-fd 0
    bridge_ageing 0

Note that promiscuous mode is also set for the physical adapters.
 
Last edited:
Apologies for the 2-year necro on this, but according to the manpage for ifupdown-addons-interfaces, it seems that bridge-ageing is a hyphen not an underscore. I have not tried it with the underscore (it may work), but hopefully this helps save some time for anyone who may stumble on this highly-ranked post via Google. :)
 
Greetings; this is my first post in this community. I also use OSSIM (and Wireshark), and initially, promiscuous mode did not work. In order to help anyone else with the same issue (I know it's an old thread), here is my /etc/network/interfaces file:

Code:
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage part of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto enp0s31f6
iface enp0s31f6 inet manual
mtu 9000
up ifconfig $IFACE promisc

auto enp4s0f0
iface enp4s0f0 inet manual
up ifconfig $IFACE promisc

iface enp4s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
    address  10.0.0.5
    netmask  255.255.255.0
    gateway  10.0.0.1
    bridge-ports enp0s31f6
    mtu 9000
    bridge-stp off
    bridge-fd 0
    bridge_ageing 0

auto vmbr1
iface vmbr1 inet manual
    bridge-ports enp4s0f0
    bridge-stp off
    bridge-fd 0
    bridge_ageing 0

Note that promiscuous mode is also set for the physical adapters.
I am trying to set up security onion on Proxmox. I followed exactly what you have in your interfaces file, I tried changing bridge_ageing to bridge-ageing but that didn't work as well. But when I connected vmbr1 to security onion as my monitor port, I do not see any traffic. Is there anything I am doing wrong?
 
Joining in on this necro, I'm doing the same thing as everyone else as far as I can see.
Tcpdump on the host nic and host bridge both show the traffic I'm expecting, but as soon as I go to the guest it's not making it through.
I've gone to /etc/network/interfaces and added bridge_ageing and bridge-ageing permutations - ifupdown2 asks to apply changes but then I seem to loose the changes the next time I've checked.

I guess the issue for me is that I'm not changing the network interfaces in the correct way.

Any tips? Bit of a linux newbie but doing my best to research.
 
Ah I see now it's in the /etc/network/interfaces.new to make it take it!
 
Yes, it was exactly what they said adding bridge-ageing 0 in.

My problem was every time I changed it I reloaded and it would go immediately, I sort of bodged it by changing the mtu value via the web gui, then nano and updating the interfaces.new file so my changes got applied at that reload

Hope that helps!
 
Just a quick upate on how I'd done that on v7.1.4:
Code:
cat /etc/network/interfaces

...
iface XXXX inet manual
up /sbin/ip link set $IFACE promisc on
#NIC_3_SPAN

...

And the verification:
Code:
root@pygaman:~# systemctl restart networking.service
root@pygaman:~# ip a | grep PROMISC
5: XXXXX: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr3 state UP group default qlen 1000
...

I can see all the switch span port traffic arriving at the NIC level on PVE although it's not going up to the bridge mapped on that interface.. Don't yet know what I'm doing wrong...

EDIT:
I think this would explain that...
https://serverfault.com/questions/798001/kvm-bridge-for-promisc-interface-ids
http://www.ryanhallman.com/kvm-configure-mirrored-ports-traffic-to-be-visible-in-guest-snort/

All you need on your host in order to pass the spanned traffic up the bridge is the followings:
Code:
brctl setageing vmbr3 0
brctl setfd vmbr3 0

EDIT2:
Final working config, reboot persistant:
Code:
# cat /etc/network/interfaces
...
iface enxe inet manual
        up /sbin/ip link set $IFACE promisc on
#NIC_3_SPAN
...
auto vmbr3
iface vmbr3 inet manual
        bridge-ports enxe
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        up /usr/sbin/brctl setageing vmbr3 0
        up /usr/sbin/brctl setfd vmbr3 0
#SPAN bridge
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!