Setting up NIDS in VE, where put it in architecure and how redirect all trafic from/to Snort/Suricata

[marcinr_92]

Hello all,

I want deploy snort in my VE, but i wounder what is the beast approach to do that. First idea is deploy vm with snort or something similar like suricata, but the real problem is ... how to redirect all traffic from NIC, VE from/to snort.

I imagine it like this:
vmbrX <--> Snort/Suricata <--> VE (other virtual machines)

So, should i do that from proxmox instance ? How we solve that in your environment? I don't do deep research, but the first thought that comes to my mind are routing tables. It is right ?

 

[Stoiko Ivanov]

You have several possibilities:
* install nids of your choice (suricata/suricata) directly on the PVE node - and let it scan the traffic coming in on the NICs of the machine - see https://pve.proxmox.com/wiki/Firewall) (IDS or IPS)
* create a SPAN/Mirror port on the vmbr, where all guests are connected (s ee https://forum.proxmox.com/threads/problem-with-snort-and-port-mirroring.59068/ for some more details) and use that for sniffing (only IDS)
* create a nids -VM with 3 interfaces (management, in, out), put the 'in' interface as only interface in the bridge where the hosts NIC is, put the 'out' interface in another bridge (vmbr1), connect all VMs to vmbr1 (also the mgmt -port of the nids VM)


I hope that helps!

 

[marcinr_92]

Thank you so much ! i have a liitle problem yet with good understanding how traffic work in full virtual environment but i working on it

 

[thierrykaya]

You have several possibilities:
* install nids of your choice (suricata/suricata) directly on the PVE node - and let it scan the traffic coming in on the NICs of the machine - see https://pve.proxmox.com/wiki/Firewall) (IDS or IPS)
* create a SPAN/Mirror port on the vmbr, where all guests are connected (s ee https://forum.proxmox.com/threads/problem-with-snort-and-port-mirroring.59068/ for some more details) and use that for sniffing (only IDS)
* create a nids -VM with 3 interfaces (management, in, out), put the 'in' interface as only interface in the bridge where the hosts NIC is, put the 'out' interface in another bridge (vmbr1), connect all VMs to vmbr1 (also the mgmt -port of the nids VM)


I hope that helps!

Hi,

Which one of these 3 options you reckon would fit in with Proxmox' security model and not increase its attack surface ?

Cheers,

 

[MH_MUC]

Hi Stoiko, is there a tutorial for the integration of suricata that is a little more detailed then the one in the wiki?

 

[Stoiko Ivanov]

Hi Stoiko, is there a tutorial for the integration of suricata that is a little more detailed then the one in the wiki?

Nothing official from our side (that I'm aware of) - a quick search here shows the following potentially interesting results:
https://forum.proxmox.com/threads/s...ricata-ids-ips-after-host-pve-firewall.44034/

maybe also the 'Mastering Proxmox' book series could be of interest:
https://books.google.at/books?id=qE...Q6AF6BAghEAM#v=onepage&q=PVE suricata&f=false

(keep in mind that I have not tried those tutorials - so cannot guarantee that they will work or are sensible)

 

[MH_MUC]

Hi, thank you very much for the reply. I have the proxmox-book, but the chapter doesn't contain anything, that one wouldn't find in your wiki.
I think the solution would be to create a VM with pfsense as described somewhere here in the forums. This seems to be a challenge if combined with HA, so I'll follow up on this later this month.