Security Onion on Hyperv 2012

1,874 views
Skip to first unread message

Mark Valerio

unread,
Sep 18, 2013, 9:42:18 PM9/18/13
to securit...@googlegroups.com
Hello,

I'm using Security Onion 12.04 in a HyperV 2012 VM. I've gone through the installation instructions in the blog. Is there any way to directly bind the NIC adapter on the host to the Security Onion VM? I've created a virtual switch which ties into the physical NIC on the host, but looking at Wireshark, the mirrored traffic isn't being recognized in Security Onion.

I've confirmed that the host NIC is receiving mirrored traffic. I was mentioned to use SR-IOV and enabled it on the VM NIC but the mirrored traffic still isn't recognized on the Security Onion VM.

Any help would be appreciated.
Today (5 hours ago) Project Member #1 doug.bu...@gmail.co

Matt Gregory

unread,
Sep 18, 2013, 10:01:16 PM9/18/13
to securit...@googlegroups.com
I'm not familiar with HyperV, but I know in ESXi you can create promiscuous mode port groups on virtual switches, and any virtual NIC assigned to such a port group will see all traffic on the virtual switch.  You can also enable promiscuous mode at the vSwitch level so that all port groups on a vSwitch can see all traffic on the vSwitch.

I would assume HyperV has some similar functionality.

Matt



--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

jswan

unread,
Sep 19, 2013, 12:05:00 PM9/19/13
to securit...@googlegroups.com
I believe that in Hyper-V 2012 you need to use vNIC ACLs to mirror traffic on a per vNIC basis, similar to setting up port mirrors on physical switches; I don't think you can do promiscuous mode for an entire vSwitch like in ESXi.

I haven't tried this yet, but it seems like a good option to get more granular than you can in ESXi.

Here's a link I found that discusses it:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/ba28cfa9-1843-4707-bff2-38db0cb404c3/mirroring-traffic-to-a-vm

Jay

Reply all
Reply to author
Forward
0 new messages