I'm attempting to set up network intrusion detection on my LAN. I plan to do this in two steps. First, setting up a SPAN port on the physical switch will will be connected to a NIC in my single-host Proxmox server, which will then be passed through to the VM in Proxmox running Ossim. That SPAN port will mirror traffic on all physical ports on the physical switch. This part I'm leaving for a later time.
Second, assuming my understanding of networking is correct (which it may well not be), I also plan to set up a virtual SPAN/mirror port within Proxmox itself. The reason I'd like to do this is because my understanding is that Proxmox itself contains a virtual switch through which traffic flows to and from containers and virtual machines to other physical devices outside of Proxmox on my LAN, as well as between containers and VMs within Proxmox itself. While traffic that flows to or from physical devices, on the one hand, and VMs and CTs, on the other, would be captured by the physical mirror port on the physical switch, my understanding is that traffic flowing between VMs and CTs within Proxmox would not be, as it all stays within Proxmox. My first question would be whether or not the foregoing is an accurate statement. Any comments or thoughts on that front would be most appreciated.
Assuming the above is correct, and after reading various posts on different ways to set up virtual port mirroring within Proxmox, I've decided to try using daemonlogger, following the recommendations of this post. To me, this seems to be the simplest way to set up persistent virtual port mirroring without the need for scripts or a ton of OpenVSwitch commands and the like. In any event, I've attempted to adapt the instructions from the previously mentioned post to accommodate my particular setup.
My current
So as a first step, I plan to add the following to
Second, I would then install daemonlogger and run it as a service with the following service file:
And this is the part where I start to get a bit confused. In the original post referenced above, the command @incremental used was
I suppose a shorter way of asking the question would be whether or not the line above in the service file,
A related question would be whether or not there would be a simple way to limit monitoring to only traffic going to/from CTs and VMs - in other words, ignoring all traffic that enters or exits the Proxmox box (through bond0). I only ask because there would likely be some duplication if all traffic through vmbr0 is mirrored with traffic mirrored through the physical SPAN port on the physical switch. I don't imagine this would be huge, but it would perhaps be nice to eliminate duplication of mirrored traffic if that would be possible.
The remaining steps I think would be straightforward - namely configure the VM hosting Ossim with a second virtual NIC that uses vmbr1, then configure Ossim to use that virtual NIC to monitor network traffic.
In any event, I'm quite certain that I've likely gotten something wrong in the above, so any comments, suggestions, advice, recommendations or thoughts on any of the above would be most appreciated.
Second, assuming my understanding of networking is correct (which it may well not be), I also plan to set up a virtual SPAN/mirror port within Proxmox itself. The reason I'd like to do this is because my understanding is that Proxmox itself contains a virtual switch through which traffic flows to and from containers and virtual machines to other physical devices outside of Proxmox on my LAN, as well as between containers and VMs within Proxmox itself. While traffic that flows to or from physical devices, on the one hand, and VMs and CTs, on the other, would be captured by the physical mirror port on the physical switch, my understanding is that traffic flowing between VMs and CTs within Proxmox would not be, as it all stays within Proxmox. My first question would be whether or not the foregoing is an accurate statement. Any comments or thoughts on that front would be most appreciated.
Assuming the above is correct, and after reading various posts on different ways to set up virtual port mirroring within Proxmox, I've decided to try using daemonlogger, following the recommendations of this post. To me, this seems to be the simplest way to set up persistent virtual port mirroring without the need for scripts or a ton of OpenVSwitch commands and the like. In any event, I've attempted to adapt the instructions from the previously mentioned post to accommodate my particular setup.
My current
/etc/network/interfaces is as follows:
Code:
auto lo
iface lo inet loopback
allow-vmbr0 bond0
iface bond0 inet manual
ovs_bridge vmbr0
ovs_type OVSBond
ovs_bonds eno1 eno2 eno3 eno4
ovs_options bond_mode=balance-tcp lacp=active other_config:lacp-time=slow
auto vmbr0
allow-ovs vmbr0
iface vmbr0 inet manual
ovs_type OVSBridge
ovs_ports bond0 vlan99
allow-vmbr0 vlan99
iface vlan10 inet static
ovs_type OVSIntPort
ovs_bridge vmbr0
ovs_options tag=99
ovs_extra set interface ${IFACE} external-ids:iface-id=$(hostname -s)-${IFACE}-vif
address 10.0.99.3
netmask 255.255.255.0
gateway 10.0.99.1So as a first step, I plan to add the following to
/etc/network/interfaces:
Code:
auto vmbr1
iface vmbr1 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0Second, I would then install daemonlogger and run it as a service with the following service file:
Code:
[Unit]
Description=Daemonlogger
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/daemonlogger -i vmbr0 -o vmbr1
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
[Install]
WantedBy=multi-user.targetAnd this is the part where I start to get a bit confused. In the original post referenced above, the command @incremental used was
daemonlogger -i eth0 -o vmbr1. I imagine the equivalent when translated for my setup would be daemonlogger -i bond0 -o vmbr1. The part that I'm not sure I understand is the reference to eth0 in the original post (or bond0 for my setup). If that is designated as the port being mirrored, then wouldn't that mirror only traffic flowing out of Proxmox and to the physical switch only? In other words, if one CT was transmitting data to another within the same Proxmox host, then presumably that data would never even hit eth0 or bond0, would it? It seems to make sense in the original post, as the user in that case wanted to monitor traffic coming in and out of the Proxmox box, and my objectives are a bit different.I suppose a shorter way of asking the question would be whether or not the line above in the service file,
ExecStart=/usr/bin/daemonlogger -i vmbr0 -o vmbr1, would mirror all traffic between containers and VMs within Proxmox itself. Would that be the proper way to do i?A related question would be whether or not there would be a simple way to limit monitoring to only traffic going to/from CTs and VMs - in other words, ignoring all traffic that enters or exits the Proxmox box (through bond0). I only ask because there would likely be some duplication if all traffic through vmbr0 is mirrored with traffic mirrored through the physical SPAN port on the physical switch. I don't imagine this would be huge, but it would perhaps be nice to eliminate duplication of mirrored traffic if that would be possible.
The remaining steps I think would be straightforward - namely configure the VM hosting Ossim with a second virtual NIC that uses vmbr1, then configure Ossim to use that virtual NIC to monitor network traffic.
In any event, I'm quite certain that I've likely gotten something wrong in the above, so any comments, suggestions, advice, recommendations or thoughts on any of the above would be most appreciated.