[Bro] Bro decapsulating ERSPAN (GRE)
Matt Thoreson
matt.thoreson at summitinfosec.com
Wed Oct 31 10:37:32 PDT 2018
Hello,
I've got a vmware instance of Ubuntu running Bro 2.6-beta2. I want bro to
monitor the eth0 interface that is directly receiving ERSPAN (gre tunneled)
data from a Cisco switch. I've tried a few different scenarios. I
thought Bro could by default recognize and decapsulate the real traffic
from the GRE tunnel (according to the bro notes it should be able to do
this) but so far when bro runs it just sees the gre traffic in it's
weird.log. I've also tried creating another tunnel interface tun0 set up
as GRE on the Ubuntu instance and have the traffic forwarded from eth0 to
tun0 and have linux decapsulate it. That is not working either.
Has anyone gotten something similar to work reading cisco ERSPAN traffic
into bro?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181031/8487bd8d/attachment.html
More information about the Bro
mailing list