Wondering if anyone has gotten this to work. I'm using Security Onion and have a CentOS7 VM as my sensor. I have ERSPAN configured in VMWare (Type II or Type III) on the VDS to traffic to the Linux sensor node's monitor NIC IP. This is working - I can see the ERSPAN traffic coming in:
18:21:46.442220 IP esxihost.internal > hunter-sensor: GREv0, seq 205937, length 161: gre-proto-0x22eb
Per this site, I enabled IP_GRE, set up the monitoring interface, etc, but it doesn't seem to work. I never get traffic on mon0. https://brezular.com/2015/05/03/decapsulation-erspan-traffic-with-open-source-tools/
ip a show mon0 gives me
219: mon0@NONE: <NOARP,UP,LOWER\_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
link/gre 10.85.167.40 brd 0.0.0.0
inet 1.1.1.1/30 scope global mon0
valid_lft forever preferred_lft forever
I've tried this a million times, redoing it, always doesn't work.
It doesn't seem like it should be difficult to decapsulate ERSPAN traffic.
Any thoughts or help would be GREATLY!!! appreciated.
No comments:
Post a Comment