Re: [security-onion] Running an IDS in a VM
1,536 views
Skip to first unread message
Scott Runnels
Oct 30, 2012, 2:17:39 PM10/30/12
to securit...@googlegroups.com
Hi Robin,
--
Scott Runnels
I've not run SecurityOnion in Proxmox but I run one production sensor and my home development VM off of ESXi. With this kind of setup in ESXi you have to turn on promiscuous mode in the virtual network. I've not used Proxmox is a pretty long time, so I'm not sure if there is a corresponding operation in Proxmox.
v/r
Scott
On Tue, Oct 30, 2012 at 2:02 PM, Robin Wood <ro...@digininja.org> wrote:
I'm planning to run Security Onion in a Proxmox VM and I'm trying to find a way to pass all traffic on the host interface through to the guest VM.
I'm running the VM as a KVM not OpenVZ. I've tried with virtio and normal network cards. I've tried putting all the network interfaces on the host into promiscuous mode, but that doesn't help.
Can this be done and if so, how?
Robin
--
Scott Runnels
santosjd
Oct 30, 2012, 2:58:20 PM10/30/12
to securit...@googlegroups.com
You need enable promiscuos mode only in the right interface. Not all.
Also follow this:
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1004099
To configure a portgroup or virtual switch to allow promiscuous mode:
You likely need to set the VLAN 4095 at the port group level, which allows the port group to see the traffic on any VLAN while leaving the VLAN tags intact.
Also follow this:
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1004099
To configure a portgroup or virtual switch to allow promiscuous mode:
- Log into the ESXi/ESX host or vCenter Server using the vSphere Client.
- Select the ESXi/ESX host in the inventory.
- Click the Configuration tab.
- In the Hardware section, click Networking.
- Click Properties of the virtual switch for which you want to enable promiscuous mode.
- Select the virtual switch or portgroup you wish to modify and click Edit.
- Click the Security tab.
- From the Promiscuous Mode dropdown menu, click Accept.
You likely need to set the VLAN 4095 at the port group level, which allows the port group to see the traffic on any VLAN while leaving the VLAN tags intact.
2012/10/30 Robin Wood <ro...@digininja.org>
On Tuesday, 30 October 2012 18:17:41 UTC, Scott Runnels wrote:
> Hi Robin,
>
>
> I've not run SecurityOnion in Proxmox but I run one production sensor and my home development VM off of ESXi. With this kind of setup in ESXi you have to turn on promiscuous mode in the virtual network. I've not used Proxmox is a pretty long time, so I'm not sure if there is a corresponding operation in Proxmox.
>
I've enabled promiscuous mode on all the interfaces from the command line (it sits on top of Debian) but it didn't help.
I'm sure it it is possible, I'm probably just missing one flag somewhere.
Robin
>
> v/r
> Scott
>
>
>
>
>
> On Tue, Oct 30, 2012 at 2:02 PM, Robin Wood <ro...@digininja.org> wrote:
>
> I'm planning to run Security Onion in a Proxmox VM and I'm trying to find a way to pass all traffic on the host interface through to the guest VM.
>
>
>
>
> I'm running the VM as a KVM not OpenVZ. I've tried with virtio and normal network cards. I've tried putting all the network interfaces on the host into promiscuous mode, but that doesn't help.
>
>
>
> Can this be done and if so, how?
>
>
>
> Robin
>
>
>
> --
>
>
>
>
>
>
>
>
>
> --
> Scott Runnels
--
Scott Runnels
Oct 30, 2012, 3:00:43 PM10/30/12
to securit...@googlegroups.com
Robin Wood
Oct 30, 2012, 3:02:09 PM10/30/12
to securit...@googlegroups.com
How do I do that in Proxmox was the question.
Robin
--
Doug Burks
Oct 31, 2012, 8:18:42 AM10/31/12
to securit...@googlegroups.com
Hi Robin,
Have you tried this?
http://forum.proxmox.com/threads/10444-promiscuous-mode-in-CT-is-it-possible
Thanks,
Doug
> --
>
>
--
Doug Burks
http://securityonion.blogspot.com
Have you tried this?
http://forum.proxmox.com/threads/10444-promiscuous-mode-in-CT-is-it-possible
Thanks,
Doug
>
>
--
Doug Burks
http://securityonion.blogspot.com
Doug Burks
Nov 1, 2012, 6:18:30 AM11/1/12
to securit...@googlegroups.com
On Wed, Oct 31, 2012 at 6:38 PM, Robin Wood <ro...@digininja.org> wrote:
>
> The Onion box can now see all traffic between the outside world and another VM running on the server but for some reason looking at traffic to and from the actual host it can only see traffic leaving it, not coming in. That isn't a problem as the host will be dormant most of the time and not bothered about monitoring it.
>
> I did various restarts of things last night but it must have taken a full shutdown and restart to get things working properly.
>
> When I've finally got the box running I'm going to write it up and I'll send over a link.
>
> Robin
Sounds good, thanks!
> On Wednesday, 31 October 2012 12:18:43 UTC, Doug Burks wrote:
>> Hi Robin,
>>
>>
>>
>> Have you tried this?
>>
>> http://forum.proxmox.com/threads/10444-promiscuous-mode-in-CT-is-it-possible
>>
>
> That was the second vote for bridge_ageing and it has worked (mostly).
>> Hi Robin,
>>
>>
>>
>> Have you tried this?
>>
>> http://forum.proxmox.com/threads/10444-promiscuous-mode-in-CT-is-it-possible
>>
>
>
> The Onion box can now see all traffic between the outside world and another VM running on the server but for some reason looking at traffic to and from the actual host it can only see traffic leaving it, not coming in. That isn't a problem as the host will be dormant most of the time and not bothered about monitoring it.
>
> I did various restarts of things last night but it must have taken a full shutdown and restart to get things working properly.
>
> When I've finally got the box running I'm going to write it up and I'll send over a link.
>
> Robin
Sounds good, thanks!
Henrik
May 13, 2014, 4:25:16 PM5/13/14
to securit...@googlegroups.com
On Thursday, November 1, 2012 11:18:32 AM UTC+1, Doug Burks wrote:
Hello Robin,
Where you ever able to get an IDS running on Proxmox? I am looking into this possibility myself and would be interested if you ever found a solution.
Cheers,
Henrik
Robin Wood
May 13, 2014, 4:29:02 PM5/13/14
to securit...@googlegroups.com
I got it running but for some reason, and I can't remember what it
was, it didn't function well. Can't remember if it was a load issue or
something similar but it definitely worked as a concept.
> --
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/5sLHrUhNPoc/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
was, it didn't function well. Can't remember if it was a load issue or
something similar but it definitely worked as a concept.
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/5sLHrUhNPoc/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages