[netsa-tools-discuss] ASA denied events

[John Green]

On Fri, 2015-07-10 at 15:24 -0400, Mark Thomas wrote:
> 
> > The majority of the remaining flows logged as IGNORED by flowcap
> > appear to be SKIPFIX_FW_EVENT_DELETED where bytes and rev-bytes ==
> > 0.  These appear to be unsuccessful connections (eg SYN to closed
> > port - so no payload bytes).
> 
> And the incoming packet has some octet count, does it not?  If you
> are giving me a deleted event, why does the volume of the incoming
> packet not count?

The initiator/responder octets for ASA flows appears to be payload
bytes rather than headers+payload (based on what I'm seeing rather than
any specific Cisco documentation).

A SYN to a closed port (eg which gets a RST in return) is reported as a
DELETED firewall event with initiator/responder octets == 0.

I see similar behaviour for successful flows when compared to a non-ASA
collector (eg ASA byte count < non-ASA byte count for the identical
flow).

> > Can these simple be stored as 0 (payload) byte flows?
> 
> Here are my thoughts on a Friday afternoon:

<SNIP - Lots of reasons why 0 byte records could be bad>

Perhaps setting packets=1 octets=1, like it does with denied events,
would cause fewer issues?

John

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.