Security Onion only for HIDS

[networklord]

Hi all,

As there is no possibility to mirror Network traffic between VMs inside ESXI I need advice for distributed Install as I want to cover HIDS at least:

1.) Install Manager
2.) Install Search Node
3.) Possibly Install Fleet node ?

Would you also go with this setup?

Thanks.

[TotieBash]

What do you mean "As there is no possibility to mirror Network traffic between VMs inside ESXI"????
For single ESXi you can use standard or distributed vswitch "promiscuous mode". This behaves like a dumb hub.
For multiple ESXi in a cluster, you need distributed vswitch "mirroring" feature.

[networklord]

I have multiple VMs and one VM as Proxy which allows machines to access Internet. Are you saying that if I enable promiscuous mode on port group and add Security Onion forwarder to same group it will be able to monitor Network Traffic sent to Proxy and to VMs back?

[TotieBash]

Yes. If you enable "promiscuous mode" on that specific port group and SO-forwarder "monitor" interface is on the same port group your SO will get a copy of every packet in/out of that particular port group.

[networklord]

Thanks very much for info!!!!!!

…

On Mon, Aug 5, 2024, 22:32 TotieBash ***@***.***> wrote: Yes. If you enable "promiscuous mode" on that specific port group and SO-forwarder "monitor" interface is on the same port group your SO will get a copy of every packet in/out of that particular port group. — Reply to this email directly, view it on GitHub <#13435 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKQVLRSHXTGVYNDVR5HAIJDZP7ONDAVCNFSM6AAAAABMABDH5CVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMRUGY4TINI> . You are receiving this because you authored the thread.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/13435/comments/10246945 @github.com>

[TotieBash]

no problem... Just to be super super clear, your proxy-vm and SO-vm needs to be on the same ESXi for "promiscuous mode" to work.

[networklord]

Understood. Only thing what confuses me is that promiscuous mode can be enabled on vswitch lvl, port lvl and NIC lvl.

My logic for this is:
If enabled on vswitch level it will accept traffic destinated to other vswitches and as default security policy say on port group inherit from vswitch. VMs will see each other traffic maybe even traffic from other port groups ( just putting theory here)
On nic level or uplink it will accept traffic destinated to other destinations in physical networks

Enabling it just on portgroup will do job for me