Mirrored port traffic not showing up on bridged network inside virtualbox guest running security onion 2.3

[adespain]

I have security onion installed on a virtualbox guest (version 2.3 security onion ISO Centos). Virtualbox is installed on a macbook pro running MacOS Monterey 12.6.7. I have a switch port configured to mirror another port. My macbookpro has a wifi interface for management and a usb gigabit ethernet interface for sniffing. Using the wireshark that is installed on my macbook I can see all of the tcp traffic so I know the mirrored port is working. However, when using tcpdump on the bridged interface used for sniffing traffic on the guest security onion VM I can only see some broadcast traffic and nothing else. I have tried configuring the 2nd sniffing interface with host-only mode as well but I don't see any traffic with that. I have promiscuous mode enabled.

Do you have any suggestions for me to try?

[reyesj2]

I am assuming you have the Security Onion VM setup as a standalone node? What is the virtualization software you're using? You may need to set the any virtual switch between the host and vm to vlan 4095 https://docs.securityonion.net/en/2.3/vmware.html?highlight=vlan#esxi

[adespain]

Hi, thanks for responding. Yes I have it configured for standalone mode. Are you asking what virtualization software other than virtualbox mentioned above? I don't have any other virtualization software or vlans configured so not sure that would help me. Any other thoughts?

[reyesj2]

Sorry, didn't see you had mentioned virtualbox. You said the ethernet adapter is usb, are you able to do usb pass-through and connect that directly to the SO vm?
Then you'll probably need to identify that new interface and do so-monitor-add

[adespain]

I have the virtualbox VM configured with 2 NICs, both of them are configured as bridged interfaces and I can select the physical interfaces on the host for each of them so I am guessing that is what you mean by usb pass-through. The mac address that is shown in the network configuration of virtualbox is the same mac address I see for the interface on the VM. I am not familiar with so-monitor-add so I will look into that, thank you!

[reyesj2]

I understand the bridged interfaces you've setup I was wondering if you could try "bypassing" the host. You mentioned the sniffing interface was a usb ethernet adapter. You should be able to tell virtual box to connect that usb device directly to the VM. That way your host machine will no longer see the device. It will be directly attached to the virtual machine. When you do that a new interface will appear on your SO vm that you will need to add to the bond0 interface with so-monitor-add <interface_name>

[adespain]

ah ok, I will take a look, thanks again!

[adespain]

ok I ran the command and it didn't give me any feedback, it gave me the prompt back so I assume it added it. I can see an enp0s8 interface and bond0 interface on the SO VM with the same mac address. However when I tcpdump either interface I am not seeing any tcp traffic...

[adespain]

I just checked on the host and I can still see the en5 interface...so maybe I am doing something wrong since you said the host machine wouldn't see that usb interface anymore?

[adespain]

Thanks @reyesj2 that was the fix. I had to shutdown the VM, remove the 2nd NIC in the network adapters virtualbox settings and then I had to add the usb3 port as a passthrough and that allowed me to see the traffic after adding it with the so-monitor-add command you mentioned. Virtualbox 7.0.8 gives an error when trying to pass usb through to the VM but the fix is to run it with root privileges. This thread helped with that:

https://forums.virtualbox.org/viewtopic.php?f=8&t=107333#p527198

Thanks again for the help!