Security Onion on Proxmox
I'm trying out Proxmox VE on the spare workstation in the garage. The idea is to use this as the bottom-layer hypervisor, and then to install VMs on top as needed. I like it a lot so far, and had no trouble setting up storage and the first three VMs for testing -- Ubuntu, PopOS and Elementary.
For the real challenge, I decided to install Security Onion. The challenge here is getting the second NIC in the box to monitor a SPAN port off the switch, and getting that traffic to pass all the way through to the Security Onion VM.
First we configure a SPAN (aka "mirror") port on our Unifi switch. We'll use port 7 for the SPAN, and mirror traffic from ports 2-4 and 9-11 (where we have other devices generating interesting traffic).
enable show monitor session all configure monitor session 2 destination interface 0/7 monitor session 2 source interface 0/2 monitor session 2 source interface 0/3 monitor session 2 source interface 0/4 monitor session 2 source interface 0/9 monitor session 2 source interface 0/10 monitor session 2 source interface 0/11 monitor session 2 mode show monitor session all exit write memory
Second, we need to create an OVS Bridge on Proxmox using the GUI. In this case the bridge will be named
vmbr1, and we'll add the second NIC as a "port"; the second NIC was labeled
enp5s0 in this case.
Third, at this point you can create the new VM on Proxmox. Be sure to add both network interfaces in the GUI.
Fourth, with the initial install of Security Onion done, here comes the tricky part. By default the bridge
vmbr1 does NOT pass all the traffic from the second NIC through to the VM. So we need to login as root to Proxmox, and from the terminal, create a new "Mirror" object named
span1 which will output to the second virtual interface on VM 102 (aka
tap102i1) any traffic it sees coming into the bridge
To figure out that virtual "tap" interface label, we ran:
ip address | grep tap
then the magic command:
ovs-vsctl -- --id=@p get port tap102i1 \ -- --id=@m create mirror name=span1 select-all=true output-port=@p \ -- set bridge vmbr1 mirrors=@m
we should now see:
root@pve:~# ovs-vsctl show 38b672cb-bcc8-491f-b8ec-9341089daf26 Bridge "vmbr1" Port "tap102i1" Interface "tap102i1" Port "vmbr1" Interface "vmbr1" type: internal Port "enp5s0" Interface "enp5s0" ovs_version: "2.12.0"
this may also come in handy:
ovs-vsctl clear bridge vmbr1 mirrors
Fifth, configure the Security Onion interfaces as usual. They will appear with different labels like
ens19, but you can figure out which is which with ifconfig.
Unfortunately the ovs-vsctl command needs to happen after every reboot. There's a script to automate that at the article below, but I haven't set that up yet. The Security Onion VM needs help booting anyway (with the nomodeset option), so I can manually handle reboots for now.
This article really helped: vext.info