Upgrading an old SecurityOnion and trying to implement ERSPAN / rcdcap

[gilesco]

I'm in the course of trying to upgrade an old (16.04) securityonion to securityonion 2.4

On the old system we receive ERSPAN feeds from multiple devices and use rcdcap to decapsulate these feeds and pass the unencapsulated packets to a virtual interface mon0, which we configure SecurityOnion to use as its monitoring interface.

I'm performing an initial install of 2.4 right now, and the first thing that is apparent is that it only has the securityonion.repo configured with a limited set of packages, and it looks like it is going to be very difficult to either install rcdcap on the system, or even attempt to build it from source.

Has anyone successfully done this? Supporting ERSPAN would be very useful, as it allows SPAN ports from switches over Layer-3. We need this as our infrastructure has asymmetric routing so taking a SPAN port from one location is not usually going to see the bidirectional traffic (i.e. will only see ingress, or egress, not both).

[gilesco]

I see that ip link appears to support erspan. So maybe I'll be able to use something there.

[Rennilon]

Let me know what you figure out. I'm also again looking at trying to decapsulate ERSPAN for Security Onion.

[BigMacCat]

I see that ip link appears to support erspan. So maybe I'll be able to use something there.

Have you managed to succeed in this?