Network Setup for IDS (aka Port Span / Port Mirroring / Sniffing)

[incremental]

I am running a basic single node setup, with a routed configuration. My proxmox machine is plugged into my wireless router as a normal client. I would like to create a new VM within proxmox where I run an IDS (SecurityOnion). Does anyone know a way I can configure networking so I can promiscuously see all traffic coming and going to the proxmox server inside a VM?


[WIRELESS ROUTER]
192.168.50.0 with DHCP disabled.

[PROXMOX]
192.168.50.100 with DHCP services inside a VM.

[PROXMOX INTERFACES CONFIG]
# network interface settings
auto lo
iface lo inet loopback


auto eth0
iface eth0 inet manual # client on wireless router.
iface eth1 inet manual # nothing plugged in.


auto vmbr0
iface vmbr0 inet static
address 192.168.50.100
netmask 255.255.255.0
gateway 192.168.50.1
bridge_ports eth0
bridge_stp off
bridge_fd 0

 

[spirit]

Hi,
I think it's possible with openvswitch
http://blog.manula.org/2014/02/port-mirroring-with-openvswitch.html

 

[incremental]

Hi,
I think it's possible with openvswitch
http://blog.manula.org/2014/02/port-mirroring-with-openvswitch.html

Thank you spirit. I also was successful with this method:

#1 Add new bridge to /etc/network/interfaces
auth vmbr1
iface vmbr1 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0

#2 Install & run daemonlogger. Configure it to forward a mirror of all traffic from eth0 to vmbr1.
apt-get install daemonlogger
daemonlogger -i eth0 -o vmbr1

#3 Configure Security Onion or IDS distribution to have a second network interface using vmbr1. Note I had to STOP the VM and START it to see the new interface inside Ubuntu (not restart)

#4 Confirm I can see traffic in Security Onion or IDS that is global to all Virtual Machines.
tcpdump -i eth1

 

[spirit]

Thanks, great to known.


By the way, the next proxmox version will have a firewall + ips feature (suricata) running on host.

(you can enable them for each vm individualy)