Security Onion with ERSPAN traffic

[armiofone]

I just setup a new SecurityOnion VM running 14.04.5.1 and have configured eth1 with an IP to receive SPAN traffic from our Cisco core switches over ERSPAN. It encapsulates the SPAN traffic in a GRE tunnel and from everything I've read, bro, snort, suricata, etc. support gre decapsulation by default. I can see all of the traffic being received by the box in wireshark, but when going into SGUIL all of the events show up with either a blank source/destination IP or it is 0.0.0.0 0.0.0.0 across the board. From squert I can click on event signatures and go into ELSA and the queries are all blank. It seems like something isn't happy with the gre encapsulated traffic. Any thoughts?

[armiofone]

Here is a pastebin link to the scrubbed sostat output: http://pastebin.com/xYpZBjMq

[Wes]

On Monday, September 12, 2016 at 12:52:08 PM UTC-4, armiofone wrote:
> Here is a pastebin link to the scrubbed sostat output: http://pastebin.com/xYpZBjMq

You may want to take a look at the following:

http://brezular.com/2015/05/03/decapsulation-erspan-traffic-with-open-source-tools/

https://groups.google.com/d/msg/security-onion/wdcPVlZ8WzU/1oOoJ4ZIAgAJ

https://groups.google.com/d/msg/security-onion/CcZNJEm94zo/3k4MjxayAQAJ

https://groups.google.com/d/msg/security-onion/WRZnlFSndFs/5OA1LdXOBQAJ

https://groups.google.com/d/msg/security-onion/uE_k3syYsPg/u1_eFsKfCQAJ

Thanks,
Wes

[armiofone]

Hey Wes, thanks for the reply. I've been through most of those posts but still haven't been successful. I'm reading the one about barnyard2 needing to be compiled for gre support. Is that going to require a re-install or something that can be changed in a conf file?

[armiofone]

So far I've also tried modifying my /etc/network/interfaces to the following:

auto eth3
iface eth3 inet static
address 10.1.1.100
netmask 255.255.255.0

auto mon0
iface mon0 inet manual
pre-up ip link add name $IFACE type gretap local 10.1.1.100 remote 10.1.1.200 dev eth3 key 10
up ip link set dev $IFACE up
down ip link set dev $IFACE down
post-down ip link delete $IFACE

auto mon1
iface mon1 inet manual
pre-up ip link add name $IFACE type gretap local 10.1.1.100 remote 10.1.1.201 dev eth3 key 20
up ip link set dev $IFACE up
down ip link set dev $IFACE down
post-down ip link delete $IFACE

per Steve's instructions https://groups.google.com/forum/#!msg/security-onion/CcZNJEm94zo/3k4MjxayAQAJ but never saw any traffic come into the mon1 interface. It kept coming in via eth1.