Security Onion on Proxmox

I'm trying out Proxmox VE on the spare workstation in the garage. The idea is to use this as the bottom-layer hypervisor, and then to install VMs on top as needed. I like it a lot so far, and had no trouble setting up storage and the first three VMs for testing -- Ubuntu, PopOS and Elementary.

For the real challenge, I decided to install Security Onion. The challenge here is getting the second NIC in the box to monitor a SPAN port off the switch, and getting that traffic to pass all the way through to the Security Onion VM.

First we configure a SPAN (aka "mirror") port on our Unifi switch. We'll use port 7 for the SPAN, and mirror traffic from ports 2-4 and 9-11 (where we have other devices generating interesting traffic).

show monitor session all

monitor session 2 destination interface 0/7
monitor session 2 source interface 0/2
monitor session 2 source interface 0/3
monitor session 2 source interface 0/4
monitor session 2 source interface 0/9
monitor session 2 source interface 0/10
monitor session 2 source interface 0/11
monitor session 2 mode

show monitor session all
write memory

Second, we need to create an OVS Bridge on Proxmox using the GUI. In this case the bridge will be named vmbr1, and we'll add the second NIC as a "port"; the second NIC was labeled enp5s0 in this case.

Third, at this point you can create the new VM on Proxmox. Be sure to add both network interfaces in the GUI.

Fourth, with the initial install of Security Onion done, here comes the tricky part. By default the bridge vmbr1 does NOT pass all the traffic from the second NIC through to the VM. So we need to login as root to Proxmox, and from the terminal, create a new "Mirror" object named span1 which will output to the second virtual interface on VM 102 (aka tap102i1) any traffic it sees coming into the bridge vmbr1.

To figure out that virtual "tap" interface label, we ran:

ip address | grep tap

then the magic command:

ovs-vsctl -- --id=@p get port tap102i1 \
-- --id=@m create mirror name=span1 select-all=true output-port=@p \
-- set bridge vmbr1 mirrors=@m

we should now see:

root@pve:~# ovs-vsctl show
    Bridge "vmbr1"
        Port "tap102i1"
            Interface "tap102i1"
        Port "vmbr1"
            Interface "vmbr1"
                type: internal
        Port "enp5s0"
            Interface "enp5s0"
    ovs_version: "2.12.0"

this may also come in handy:

ovs-vsctl clear bridge vmbr1 mirrors

Fifth, configure the Security Onion interfaces as usual. They will appear with different labels like ens18 or ens19, but you can figure out which is which with ifconfig.

Unfortunately the ovs-vsctl command needs to happen after every reboot. There's a script to automate that at the article below, but I haven't set that up yet. The Security Onion VM needs help booting anyway (with the nomodeset option), so I can manually handle reboots for now.

This article really helped: vext.info

#infosec #linux #proxmox