changing sensor interface (decap ERSPAN)

[Pete]

All,

I just wanted to post what I believe is a success in switching interfaces.

I have a SecurityOnion sensor setup receiving a couple of ERSPAN feeds from Cisco Nexus routers. I was unable to get the Linux kernel's ip_gre module to decapsulate the spans, so had set it to listen on bond0, which terminates the virtual port channel and has the ERSPAN's destination IP (end of GRE tunnel).

I wanted to preserve the data I'd collected on bond0, so did not want to rerun sosetup. Here are the steps I took to get the new sensor interface up and running:

Stop the sensor (sudo nsm --sensor --stop)
Go into /etc/nsm, edit sensortab, choose an unused sensor name, and edit to use my new interface. Comment out bond0 and uncomment my new one (eg: srvr12-em3 --> srvr12-mon1).
Rename the sensor directory in /etc/nsm from the unused sensor to my new one's name.
Go into the /etc/nsm/<newsensorname> directory, grep for the unused sensor interface, and edit all found files to use the new sensor interface and sensor name (eg: em3 --> mon1).
Go into /nsm/sensor_data, rename the sensor directory from the unused sensor to my new one's name.
Go into /opt/bro/etc and edit node.cfg, rename the unused sensor interface to the new interface and uncomment its lines. comment out lines for bond0.
Start the sensor (sudo nsm --sensor --start)

Tip: when starting RCDCap, set the snaplength higher than the default of 1518 (I used 1600). Without that, it abends on large packets when it detects truncation. I also set it to start automatically and respawn as needed using upstart, but it seems to be rock solid.
--
Pete