Setting up NIDS in VE, where put it in architecure and how redirect all trafic from/to Snort/Suricata

marcinr_92

New Member
Jan 2, 2021
12
0
1
30
Hello all,

I want deploy snort in my VE, but i wounder what is the beast approach to do that. First idea is deploy vm with snort or something similar like suricata, but the real problem is ... how to redirect all traffic from NIC, VE from/to snort.

I imagine it like this:
vmbrX <--> Snort/Suricata <--> VE (other virtual machines)

So, should i do that from proxmox instance ? How we solve that in your environment? I don't do deep research, but the first thought that comes to my mind are routing tables. It is right ?
 
Last edited:

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
7,439
1,198
164
You have several possibilities:
* install nids of your choice (suricata/suricata) directly on the PVE node - and let it scan the traffic coming in on the NICs of the machine - see https://pve.proxmox.com/wiki/Firewall) (IDS or IPS)
* create a SPAN/Mirror port on the vmbr, where all guests are connected (s ee https://forum.proxmox.com/threads/problem-with-snort-and-port-mirroring.59068/ for some more details) and use that for sniffing (only IDS)
* create a nids -VM with 3 interfaces (management, in, out), put the 'in' interface as only interface in the bridge where the hosts NIC is, put the 'out' interface in another bridge (vmbr1), connect all VMs to vmbr1 (also the mgmt -port of the nids VM)


I hope that helps!
 
  • Like
Reactions: marcinr_92

marcinr_92

New Member
Jan 2, 2021
12
0
1
30
Thank you so much ! :) i have a liitle problem yet with good understanding how traffic work in full virtual environment :) but i working on it :)
 

thierrykaya

New Member
Jul 31, 2021
7
1
1
Brussels
You have several possibilities:
* install nids of your choice (suricata/suricata) directly on the PVE node - and let it scan the traffic coming in on the NICs of the machine - see https://pve.proxmox.com/wiki/Firewall) (IDS or IPS)
* create a SPAN/Mirror port on the vmbr, where all guests are connected (s ee https://forum.proxmox.com/threads/problem-with-snort-and-port-mirroring.59068/ for some more details) and use that for sniffing (only IDS)
* create a nids -VM with 3 interfaces (management, in, out), put the 'in' interface as only interface in the bridge where the hosts NIC is, put the 'out' interface in another bridge (vmbr1), connect all VMs to vmbr1 (also the mgmt -port of the nids VM)


I hope that helps!
Hi,

Which one of these 3 options you reckon would fit in with Proxmox' security model and not increase its attack surface ?

Cheers,
 
  • Like
Reactions: bfwdd

MH_MUC

Member
May 24, 2019
52
3
13
35
Hi Stoiko, is there a tutorial for the integration of suricata that is a little more detailed then the one in the wiki?
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
7,439
1,198
164
Hi Stoiko, is there a tutorial for the integration of suricata that is a little more detailed then the one in the wiki?
Nothing official from our side (that I'm aware of) - a quick search here shows the following potentially interesting results:
https://forum.proxmox.com/threads/s...ricata-ids-ips-after-host-pve-firewall.44034/

maybe also the 'Mastering Proxmox' book series could be of interest:
https://books.google.at/books?id=qE...Q6AF6BAghEAM#v=onepage&q=PVE suricata&f=false

(keep in mind that I have not tried those tutorials - so cannot guarantee that they will work or are sensible)
 

MH_MUC

Member
May 24, 2019
52
3
13
35
Hi, thank you very much for the reply. I have the proxmox-book, but the chapter doesn't contain anything, that one wouldn't find in your wiki.
I think the solution would be to create a VM with pfsense as described somewhere here in the forums. This seems to be a challenge if combined with HA, so I'll follow up on this later this month.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!