I’m working with a few erspan flows to various sensors. I recently needed to use a bpf filter to exclude traffic (in addition to a few pass rules, which work to bypass rules just fine with erspan).
I noticed that no bpf rules would not apply (include, exlcude, etc). Upon further investigating, if I strip the erspan header off with rcdcap to a virtual interface suricata monitors, the traffic is filtered correctly through bpf and works. Once erspan header is back, it no longer works.
I sense that bpf is applied before erspan decoder which is why pass rules work but bpf does not. Perhaps a ticket should be entered to have this addressed?
I looked at setting up an erspan decoder interface in Linux, however I haven’t had much success (it won’t pick up packets). I’ll keep trying, however, long term, I’d prefer to keep the header since processing of erspan downstream in suricata decodes just fine.
While great, rcpdcap is not an option for most of the environment I’m using.
Details on what environment I tested in:
- suricata 5.0.3, 6.03
- linux 4.19, linux 5.15.2
- af_packet, pfring
- type II erspan
Any suggestions or if others have this problem, please post here.