[netsa-tools-discuss] ASA denied events

Mark Thomas mthomas at cert.org
Fri Jul 24 12:26:55 EDT 2015


On Mon, 13 Jul 2015 10:17:56 +0000, John Green wrote:

> The initiator/responder octets for ASA flows appears to be payload
> bytes rather than headers+payload (based on what I'm seeing rather
> than any specific Cisco documentation).

That agrees with the definitions of the IPFIX information elements
at IANA.  http://www.iana.org/assignments/ipfix/ipfix.xhtml

octetTotalCount(85) and octetDeltaCount(1) include IP headers and IP
payload, while initiatorOctets(231) and responderOctets(232) are
layer 4 payload bytes.

Thus, the numbers that SiLK records for these flow records are
different that what most of the long-time users of SiLK expect them
to be.

> <SNIP - Lots of reasons why 0 byte records could be bad>
>
> Perhaps setting packets=1 octets=1, like it does with denied
> events, would cause fewer issues?

Yes, this is probably the best short-term solution.

> John

Thanks,

-Mark


More information about the netsa-tools-discuss mailing list