[netsa-tools-discuss] ASA denied events
John Green
John.Green at jisc.ac.uk
Wed Jul 8 05:52:09 EDT 2015
On Wed, 2015-07-01 at 11:22 -0400, Mark Thomas wrote:
> John-
>
> On Wed, 1 Jul 2015 11:23:17 +0000, John Green wrote:
>
> > Hi,
>
> Hello. It is always good to hear from you.
>
> Short answer: Your analysis is correct and the attached patch, based
> on your fix (Thanks!), addresses the issue.
Hi Mark,
Thanks for looking into this and supplying a patch.
The majority of the remaining flows logged as IGNORED by flowcap appear
to be SKIPFIX_FW_EVENT_DELETED where bytes and rev-bytes == 0. These
appear to be unsuccessful connections (eg SYN to closed port - so no
payload bytes). I would still expect to see recorded as they would with
normal netflow. This is referenced in a comment in the source
"HOWEVER, some flow records have a 0-byte count, and it is unclear what
to with those---currently they are ignored."
Can these simple be stored as 0 (payload) byte flows?
Thanks
John
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
More information about the netsa-tools-discuss
mailing list