Proxmox defaults to a VM CPU which may not include all of the features of your host CPU. You may need to change this to
host to pass through the host CPU type.
If you plan to use NetworkMiner or other Mono-based applications in a Proxmox VM, then you may need to set the VM Display to
VMware compatible (vmware).
If you’re going to install Security Onion in Proxmox and sniff live network traffic, you may need to do some additional configuration in Proxmox itself.
Passthrough Physical NIC¶
The first option is to sniff traffic from a physical NIC that has been passed through to the VM. For more information about Proxmox passthrough, please see:
Once the physical NIC is passed through to the Security Onion VM, then Security Onion should be able to correctly configure the NIC for sniffing.
The second option is to sniff traffic from a Proxmox virtual NIC. For more details, please see the discussion at https://github.com/Security-Onion-Solutions/securityonion/discussions/8245.
Keep in mind you may need to manually disable NIC offloading features on any Proxmox NIC used for sniffing (the physical interface and any related bridge interface). One way to do this is to add a post-up command to each sniffing interface in /etc/network/interfaces on the Proxmox host.
For example, if you have a Proxmox physical interface called
enp2s0 with a bridge interface called
vmbr1, then you might log into Proxmox and edit /etc/network/interfaces by adding the following to the
post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K enp2s0 $i off; done
and the following to the
post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K vmbr1 $i off; done
For more information about NIC offloading, please see https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html.