Threat Hunting with SecurityOnion , Proxmox & Port Mirroring

Ever wondered if your washing machine was sending a gigabyte a day to AWS? Curious to know to what extent the North Koreans are beaconing from your VSCode? Yearning to know if all your Unifi kit is really as pwned as Krebs would have you believe?

Well, wonder no longer.  Get some visibility!  Prerequisites for this lab include Proxmox, a switch capable of port mirroring or a network tap, and a VM running SecurityOnion.

Step 1: Configure your switch to mirror all traffic from your uplink port (the port that connects your LAN to your router) to an unused port on the switch (we'll call this the mirror port.  If you want to rule out compromise of your switch itself, use a tap instead of a mirror port.  More exotic networks may want to mirror multiple ports, etc. but we'll assume a simple setup for starters.

Step 2: Connect an Ethernet cable from the mirror port to an unused NIC (we'll call it eno5) on your Proxmox host.

Step 3: Create a new bridge interface (using openvswitch, we'll call it vmbr2) on your Proxmox hypervisor.  Sample config below:

   auto eno5
   iface eno5 inet manual
        ovs_type OVSPort
        ovs_bridge vmbr2
   
   auto vmbr2
   iface vmbr2 inet manual
        ovs_type OVSBridge
        ovs_ports eno5

Step 4: Find the tap interface on the hypervisor associated with the SecurityOnion VM.  ip a | grep tap.  The tap interfaces are named based on the ID of the VM tap[VM-ID]i[interface#]. So the second interface on VM ID 1337 would be tap1337i1.  

Step 5: Create an openvswitch span that mirrors the bridge interface to the tap interface:

  sudo ovs-vsctl -- --id=@p get port tap1337i1 --  \\
  --id=@m create mirror name=span1 select-all=true \\
  output-port=@p     -- set bridge vmbr2 mirrors=@m

Note that Step 5 has to be done EVERY time the VM is stopped and started again.  This mirror will persist across reboots of the VM, but not power off, power on events.  vext has come up with a cron/shell hack that reconfigures the mirror each time the hypervisor host reboots.

Step 6: Make sure the second "sniffing" network interface on SecurityOnion is assigned to vmbr2.  Dump traffic on the 'sniffing' interface of the SecurityOnion VM, in this case eth1: tcpdump -n -i eth1.  Assuming the mirror is set correctly on your physical switch, you should see a lot of traffic.  Test this by initiating a connection (eg ping a specific host on the Internet) and make sure you see the traffic dumped on the SecurityOnion).

Step 7: If you decide at some point to stop running the mirror, you can tear it down as follows: ovs-vsctl clear bridge vmbr2 mirrors

Credits to Omar Santos and bilk0h.