Security Onion & Proxmox SPAN Port

After a couple of weeks, I’ve been able to solve the Proxmox & Security Onion SPAN port mystery. The issue was, creating a virtual TAP, within Proxmox, in order to capture all traffic. Various places online said it worked, but all were missing vital pieces for implementation. After searching and digging, I managed to put the puzzle together. Previously, I ran VMware 6.7 U3 on my servers along with various VMs. The setup was straight-forward providing you have a working knowledge of VMware network functionality. All you did for that setup is create a SPAN port, make the physical connection, and assign it to a VM that can listen in promiscuous-mode, done.

Now, let’s get to the reason you’re here!

After effortless searching and tons of knowledge gained. I’ve been able to piece together the proper steps in order to create a SPAN port on Proxmox and pass it to Security Onion. There are multiple possibilities within an environment to achieve this. Before you begin, backup your /etc/network/interfaces file.

First, you will need to install Openvswitch.

apt install openvswitch-switch

After successfully installing Openvswitch, create an “OVS Bridge” within the chosen node, and assign a number to that bridge. I chose to assign 15, or  “vmbr15” to be exact.

After OVS bridge creation, ensure you bridge a physical port to the virtual bridge. My physical port is, “eno3.”

Once complete, within your network tab of the node you’re configuring, you’ll notice you now have an “OVS Port” for “eno3.” The two examples are the results of what you should see.

You’re almost there.

Follow the instructions below:

This is what you need to know and the command to get you there.

  • ip -brie a  – This will show you your interfaces, notice the “tapxxxix” interfaces. Those are the TAPs/ SPANS associated with the VM by VMID. See mine for reference.

As you can see above, we’re working with VM 102 and interface assigned to the VM. So, we know that tap102i1 is assigned to virtual bridge “vmbr15”, with a shared bridge of “eno3.” This output does not state eno3, but you bridged that connection earlier. For clarity, this is what my Security Onion sensor looks like under the hardware tab:

As you can see here, net1 is directly associated with vmbr15; therefore, it is also directly assigned to tap102i1.

Take note of the VM you want to pass the SPAN traffic to. My Security Onion sensor sits at VMID102 with ten bridges attached to it.

  1. WAN Network – 192.168.3.2 on VLAN 30 – This places SO on an external network within a VLAN so that I may access SO from the WAN (external network). Having multiple bridges attached to multiple networks allows me to pass Syslog traffic. You could also create Floating rules (Opnsense & PFSense) to route traffic to your sensor.
  2. VMBR15 – This is the bridge with eno3 (physical port) bridged to catch all the SPAN traffic.
  3. The infrastructure network is where I place all my security appliances for my network.
  4. Now, all you have to do is grab the “tap” that coincides with your bridge you assigned to your host VM you want to SPAN traffic to. In my case, I used “tap102i1” for the second bridge assigned to my security onion.
  5. Once you have selected the appropriate tap, ensure you edit the Proxmox script to reflect your tap and bridge (vmbr) you want to assign to.
  6. chmod +x proxmox script and add it to cron.

crontab -e

@reboot sleep 60 && /root/proxmox-seconiontap.sh

!/bin/dash

proxmox-seconiontap.sh

SECONIONLOG=/root/proxmox-seconiontap.log

date >> $SECONIONLOG

echo “####################” >> $SECONIONLOG

echo “Clearing any existing mirror…” >> $SECONIONLOG

ovs-vsctl clear bridge vmbr15 mirrors

echo “Creating mirror on vmbr15 for Security Onion…” >> $SECONIONLOG

ovs-vsctl — –id=@p get port tap102i1 \
— –id=@m create mirror name=span1 select-all=true output-port=@p \
— set bridge vmbr15 mirrors=@m >> $SECONIONLOG

echo “Showing existing mirrors…” >> $SECONIONLOG

ovs-vsctl list Mirror >> $SECONIONLOG

echo “####################” >> $SECONIONLOG

Dont’ forget to save your file. Remember what name and path you gave it so that you may pass that along to the cron job.

You can do two things at this point. You can restart networking or reboot. I recommend rebooting the node. If you’re curious of the other option, here is:

systemctl restart networking

If all went well, you should now see your mirrored / SPAN’d traffic in Security Onion, or whatever application you applied this technique.

Lastly, if you notice that you’re script doesn’t execute upon reboot after the 60 seconds you gave it, adjust the time in cron. Also, you can just ./script to script to kick it off. Now, run your tcpdump on the configured interface and watch the traffic pour in.

If you manage to destroy your interfaces file, reboot your system and boot into “Advanced Options” for Proxmox and rollback your kernel. Fix your errors on boot and try again.

References:

The awesome script was provided here:

https://vext.info/2018/09/03/cheat-sheet-port-mirroring-ids-data-into-a-proxmox-vm.html

The understanding of OVS is here:

http://docs.openvswitch.org/en/latest/faq/configuration/