[Bro] Bro decapsulating ERSPAN (GRE)
Jon Siwek
jsiwek at corelight.com
Wed Oct 31 11:07:31 PDT 2018
On Wed, Oct 31, 2018 at 12:40 PM Matt Thoreson
<matt.thoreson at summitinfosec.com> wrote:
> I thought Bro could by default recognize and decapsulate the real traffic from the GRE tunnel (according to the bro notes it should be able to do this) but so far when bro runs it just sees the gre traffic in it's weird.log.
It currently only handles a few GRE protocol types, and doesn't seem
the ERSPAN ones are among them.
- Jon
More information about the Bro
mailing list