Using suricata as IDS for traffic from various networks via ERSPAN

Hello! please help me figure out whether suricata has been installed on a vmware VM with ubuntu, traffic has been allowed to the monitored interface via ERSPAN, but it is not visible. Suricata supports such an implementation, it can see the ERSPAN I traffic, do I need to make any additional settings for this?

it seems to me that she sees only traffic directed personally at her and broadcast

The output of grep decoder.erspan stats.log is empty

Sounds like something like promisc mode on the capture interface is not enabled?

promisc mode is enabled. Do I need any settings so that suricata decrypts traffic (parses packets), and not just headers?


What Suricata version are you using?

In Suricata 5.0.[3-7], ERSPAN Type 1 is disabled by default. The configuration variable decoder.erspan.typeI.enabled must be set to true (or yes or 1) for this traffic to be inspected. Earlier versions of Suricata do not decode ERSPAN Type 1.

In Suricata 6.0.3 and later, ERSPAN Type 1 is enabled by default.