[netsa-tools-discuss] ASA denied events

[John Green]

Hi,

Is anyone else using Silk to process denied events from an ASA?

I've been trying to collect V9 from an ASA and have been getting large numbers of "IGNORED - no forward/reverse octets" entries showing up in my flowcap log files.  

The majority of these were denied packets.  Looking at the source code these should be fixed up in skipfix.c when the following conditions are met.

if ((skpcProbeGetQuirks(probe) & SKPC_QUIRK_FW_EVENT)
   && 0 == pkts
   && SKIPFIX_FW_EVENT_DENIED == fixrec.NF_F_FW_EVENT)

This wasn't happening because looking in fixrec
firewallEvent = 3 '\003', NF_F_FW_EVENT = 0 '\000', NF_F_FW_EXT_EVENT = 1002

Looking in the templates being exported from the ASA I have
firewallEvent (233) and FW_EXT_EVENT (33002).    I can't see any
reference to NF_F_FW_EVENT (40005).   A comment in skipfix.c refers to
two Cisco documents, both of which also make no reference to 40005
(only 233).

I've changed the above code to mirror some logic used previously in the function.

uint8_t event = (fixrec.firewallEvent ? fixrec.firewallEvent : fixrec.NF_F_FW_EVENT);
if ((skpcProbeGetQuirks(probe) & SKPC_QUIRK_FW_EVENT)
            && 0 == pkts
            && SKIPFIX_FW_EVENT_DENIED == event)

This appears to work, but I wanted to check I wasn't missing something.   In particular if libfixbuf should be involved somehow (http://tools.netsa.cert.org/fixbuf/libfixbuf/v9.html makes references to converting these elements)

Thanks
John

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.