ERSPAN Collection

[Rennilon]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

48

RAM

64GB

Storage for /

150GB

Storage for /nsm

8TB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

We are trying to setup a new SPAN to a new SO Sensor. We are now using Cisco ACI and apparently we need to use ERSPAN instead of just a regular SPAN port like we did in the past.

I'm being asked to address one of the sensor interfaces so that we can send ERSPAN traffic to it.

What do I need to do to make sure that the sensor handles the ERSPAN traffic correctly?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

In that case I believe you would want to send the ERSPAN traffic to another cisco device that can decapsulate the GRE layer and then use a regular span port to send it to an interface on your sensor for regular ingest.
If you tried sending it directly to the sensor interface it would be encapsulated in a GRE tunnel and there is nothing to decapsulate this on the SO sensor.

[petiepooo]

I don't see why your sensor couldn't receive an ERSPAN and monitor packets received via it. The last time I dealt with ERSPAN was on SO 16.04 where I used the RCDCAP framework to decapsulate it and push packets to a dummy iface. It was quite CPU-intensive, even using pf_ring, but Linux now supports ERSPAN natively in kernelspace. The command should be similar to:

ip link add dev erspan0 type erspan seq key 10 local 172.16.32.2 remote 172.16.32.1 erspan_ver 1

There are plenty of sites showing how to create a netdev device using ip link. The trick will be in figuring out the equivalent NetworkManager commands so it persists and can be added to the bond0 interface the Security Onion tools are monitoring...

[petiepooo]

Then again, it may be a limitation of NetworkManager...

onion@lab3:~$ sudo nmcli connection add type ip-tunnel ip-tunnel.mode erspan con-name erspan1
Error: failed to modify ip-tunnel.mode: invalid option 'erspan', use one of [ipip,gre,sit,isatap,vti,ip6ip6,ipip6,ip6gre,vti6,gretap,ip6gretap].

Or maybe use netdev to create it, persist it, and make it promiscuous, then change the sensor.interface salt pillar from bond0 to your erspan interface name. That's not a supported change, of course.. you'd be on your own other than community/self-support. But cheaper than buying another Cisco system just to decap your erspan.

[petiepooo]

Can't let this go; sorry.. since there's no responses, I'll let it lie after this note.

It should also be possible to just decap the GRE portion and let zeek/suricata handle the ERSPAN header too. Here's a guide on how to do that. https://brezular.com/2015/05/03/decapsulation-erspan-traffic-with-open-source-tools/ Zeek knows how to process ERSPAN natively. zeek/zeek@d9533e9 looking up PCAPs in SOC could be an issue, though.

[Rennilon]

Can't let this go; sorry.. since there's no responses, I'll let it lie after this note.

It should also be possible to just decap the GRE portion and let zeek/suricata handle the ERSPAN header too. Here's a guide on how to do that. https://brezular.com/2015/05/03/decapsulation-erspan-traffic-with-open-source-tools/ Zeek knows how to process ERSPAN natively. zeek/zeek@d9533e9 looking up PCAPs in SOC could be an issue, though.

I'll be giving this a go next week to see if I can make it work.

[Rennilon]

I tried to get RCDCAP installed, but it was a bit beyond me getting it working on the Oracle Linux SO image. I'm going to have to pursue getting a dedicated intermediary cisco device to handle the decapulation.