Network Setup for IDS (aka Port Span / Port Mirroring / Sniffing)

incremental

New Member
Jul 22, 2014
4
0
1
I am running a basic single node setup, with a routed configuration. My proxmox machine is plugged into my wireless router as a normal client. I would like to create a new VM within proxmox where I run an IDS (SecurityOnion). Does anyone know a way I can configure networking so I can promiscuously see all traffic coming and going to the proxmox server inside a VM?


[WIRELESS ROUTER]
192.168.50.0 with DHCP disabled.

[PROXMOX]
192.168.50.100 with DHCP services inside a VM.

[PROXMOX INTERFACES CONFIG]
# network interface settings
auto lo
iface lo inet loopback


auto eth0
iface eth0 inet manual # client on wireless router.
iface eth1 inet manual # nothing plugged in.


auto vmbr0
iface vmbr0 inet static
address 192.168.50.100
netmask 255.255.255.0
gateway 192.168.50.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
 

incremental

New Member
Jul 22, 2014
4
0
1

Thank you spirit. I also was successful with this method:

#1 Add new bridge to /etc/network/interfaces
auth vmbr1
iface vmbr1 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0

#2 Install & run daemonlogger. Configure it to forward a mirror of all traffic from eth0 to vmbr1.
apt-get install daemonlogger
daemonlogger -i eth0 -o vmbr1

#3 Configure Security Onion or IDS distribution to have a second network interface using vmbr1. Note I had to STOP the VM and START it to see the new interface inside Ubuntu (not restart)

#4 Confirm I can see traffic in Security Onion or IDS that is global to all Virtual Machines.
tcpdump -i eth1
 

spirit

Famous Member
Apr 2, 2010
5,246
504
133
www.odiso.com
Thanks, great to known.


By the way, the next proxmox version will have a firewall + ips feature (suricata) running on host.

(you can enable them for each vm individualy)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!