[netsa-tools-discuss] rwflowpack with Cisco ASA (netflow9) issue

Mark Thomas mthomas at cert.org
Thu Sep 10 15:57:24 EDT 2015 

Evgeniy-

Thank you for providing your configuration files.

Modifying the probe block in the sensor.conf file to have the
additional "quirks" line shown here:

  probe P1 netflow-v9
          listen-on-port 9996
          protocol udp
          accept-from-host 192.168.1.1
          log-flags bad
          quirks firewall-event, zero-packets
  end probe

should remove some of those ignored flows from the log file.

The currently released SiLK code (v3.10.2) assumes that the ASA
sending the firewall event using the "NF_F_FW_EVENT" element.
However, it appears that Cisco has started to send these events
using the standard "firewallEvent" element.  The patch that I
included in that thread fixes the issue.  (The patch is in
http://permalink.gmane.org/gmane.comp.networking.netsa.tools/108 ).

There is still one unresolved source of "ignored" flows that is
mentioned in that thread:

  The majority of the remaining flows logged as IGNORED by flowcap
  appear to be SKIPFIX_FW_EVENT_DELETED where bytes and rev-bytes ==
  0.  These appear to be unsuccessful connections (eg SYN to closed
  port - so no payload bytes).

I need to modify the code so these are also stored instead of being
ignored.

-Mark


-----Original Message-----
From: Evgeniy Sudyr <eject.in.ua at gmail.com>
Date: Thu, 10 Sep 2015 18:24:23 +0200
To: <netsa-tools-discuss at cert.org>
Cc: <hephaestus.studio at gmail.com>
Subject: [netsa-tools-discuss] rwflowpack with Cisco ASA (netflow9) issue

Hi I seen someone got ASA netflow working with rwflowpack there
http://comments.gmane.org/gmane.comp.networking.netsa.tools/107 .

I'm trying to get it working in lab with ASA5515-X (Netflow V9), and my
config looks good
however I'm getting no data, but errors in log.

After start rwflowpack catches template packet and starts complaining.

Log:

Sep 10 18:14:56 debian rwflowpack[39558]:
IGNORED|192.168.0.248|85.126.xx.xx|52006|80|6|0|0|no forward/reverse octets|
Sep 10 18:14:56 debian rwflowpack[39558]:
IGNORED|178.124.xx.xx|185.56.xx.xx|63034|1777|6|0|65|no forward/reverse
packets|
Sep 10 18:14:56 debian rwflowpack[39558]:


I'm starting rwflowpack with:

rwflowpack --input-mode=stream --sensor-configuration=/opt/silk/sensor.conf
--root-directory=/opt/silk/data/ --compression-method=best
--site-config-file=/opt/silk/silk.conf --log-destination=/opt/silk/silk.log

$ cat silk.conf

version 2
sensor 0 S0    "Description for sensor S0"
sensor 1 S1
sensor 2 S2    "Optional description for sensor S2"
sensor 3 S3
sensor 4 S4
sensor 5 S5
sensor 6 S6
sensor 7 S7
sensor 8 S8
sensor 9 S9
sensor 10 S10
sensor 11 S11
sensor 12 S12
sensor 13 S13
sensor 14 S14
class all
    sensors S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14
end class
class all
    type  0 in      in
    type  1 out     out
    type  2 inweb   iw
    type  3 outweb  ow
    type  4 innull  innull
    type  5 outnull outnull
    type  6 int2int int2int
    type  7 ext2ext ext2ext
    type  8 inicmp  inicmp
    type  9 outicmp outicmp
    type 10 other   other
    default-types in inweb inicmp
end class
default-class all
packing-logic "packlogic-twoway.so"


$ cat sensor.conf

group G1
     ipblocks 192.168.0.0/16 10.0.0.0/8
end group

probe P1 netflow-v9
        listen-on-port 9996
        protocol udp
        accept-from-host 192.168.1.1
        log-flags bad
end probe

sensor S0
      netflow-v9-probes P1
      internal-ipblocks 192.168.0.0/16 10.0.0.0/8
      external-ipblocks remainder
end sensor


Any help is appreciate!

Working configs for ASA and Netflow v9 will help much more.

--
With regards,
Evgeniy

More information about the netsa-tools-discuss mailing list