[netsa-tools-discuss] rwflowpack with Cisco ASA (netflow9) issue

Evgeniy Sudyr eject.in.ua at gmail.com
Thu Sep 10 16:25:15 EDT 2015 

Hi Mark,

just to make sure that I was understood correctly - I'm getting nothing
captured to rwflowpack data directory, but that events in logfile.

I want to help such a great project, so let me ask:

1) does it help if will send capture file (pcap) with netflow v9 packets
(including template of course)?
2) I can test any code changes immediately and will let you know. Do you
have some SCM repository I can checkout / pull changes?

On Thu, Sep 10, 2015 at 9:57 PM, Mark Thomas <mthomas at cert.org> wrote:

> Evgeniy-
>
> Thank you for providing your configuration files.
>
> Modifying the probe block in the sensor.conf file to have the
> additional "quirks" line shown here:
>
>   probe P1 netflow-v9
>           listen-on-port 9996
>           protocol udp
>           accept-from-host 192.168.1.1
>           log-flags bad
>           quirks firewall-event, zero-packets
>   end probe
>
> should remove some of those ignored flows from the log file.
>
> The currently released SiLK code (v3.10.2) assumes that the ASA
> sending the firewall event using the "NF_F_FW_EVENT" element.
> However, it appears that Cisco has started to send these events
> using the standard "firewallEvent" element.  The patch that I
> included in that thread fixes the issue.  (The patch is in
> http://permalink.gmane.org/gmane.comp.networking.netsa.tools/108 ).
>
> There is still one unresolved source of "ignored" flows that is
> mentioned in that thread:
>
>   The majority of the remaining flows logged as IGNORED by flowcap
>   appear to be SKIPFIX_FW_EVENT_DELETED where bytes and rev-bytes ==
>   0.  These appear to be unsuccessful connections (eg SYN to closed
>   port - so no payload bytes).
>
> I need to modify the code so these are also stored instead of being
> ignored.
>
> -Mark
>
>
> -----Original Message-----
> From: Evgeniy Sudyr <eject.in.ua at gmail.com>
> Date: Thu, 10 Sep 2015 18:24:23 +0200
> To: <netsa-tools-discuss at cert.org>
> Cc: <hephaestus.studio at gmail.com>
> Subject: [netsa-tools-discuss] rwflowpack with Cisco ASA (netflow9) issue
>
> Hi I seen someone got ASA netflow working with rwflowpack there
> http://comments.gmane.org/gmane.comp.networking.netsa.tools/107 .
>
> I'm trying to get it working in lab with ASA5515-X (Netflow V9), and my
> config looks good
> however I'm getting no data, but errors in log.
>
> After start rwflowpack catches template packet and starts complaining.
>
> Log:
>
> Sep 10 18:14:56 debian rwflowpack[39558]:
> IGNORED|192.168.0.248|85.126.xx.xx|52006|80|6|0|0|no forward/reverse
> octets|
> Sep 10 18:14:56 debian rwflowpack[39558]:
> IGNORED|178.124.xx.xx|185.56.xx.xx|63034|1777|6|0|65|no forward/reverse
> packets|
> Sep 10 18:14:56 debian rwflowpack[39558]:
>
>
> I'm starting rwflowpack with:
>
> rwflowpack --input-mode=stream --sensor-configuration=/opt/silk/sensor.conf
> --root-directory=/opt/silk/data/ --compression-method=best
> --site-config-file=/opt/silk/silk.conf --log-destination=/opt/silk/silk.log
>
> $ cat silk.conf
>
> version 2
> sensor 0 S0    "Description for sensor S0"
> sensor 1 S1
> sensor 2 S2    "Optional description for sensor S2"
> sensor 3 S3
> sensor 4 S4
> sensor 5 S5
> sensor 6 S6
> sensor 7 S7
> sensor 8 S8
> sensor 9 S9
> sensor 10 S10
> sensor 11 S11
> sensor 12 S12
> sensor 13 S13
> sensor 14 S14
> class all
>     sensors S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14
> end class
> class all
>     type  0 in      in
>     type  1 out     out
>     type  2 inweb   iw
>     type  3 outweb  ow
>     type  4 innull  innull
>     type  5 outnull outnull
>     type  6 int2int int2int
>     type  7 ext2ext ext2ext
>     type  8 inicmp  inicmp
>     type  9 outicmp outicmp
>     type 10 other   other
>     default-types in inweb inicmp
> end class
> default-class all
> packing-logic "packlogic-twoway.so"
>
>
> $ cat sensor.conf
>
> group G1
>      ipblocks 192.168.0.0/16 10.0.0.0/8
> end group
>
> probe P1 netflow-v9
>         listen-on-port 9996
>         protocol udp
>         accept-from-host 192.168.1.1
>         log-flags bad
> end probe
>
> sensor S0
>       netflow-v9-probes P1
>       internal-ipblocks 192.168.0.0/16 10.0.0.0/8
>       external-ipblocks remainder
> end sensor
>
>
> Any help is appreciate!
>
> Working configs for ASA and Netflow v9 will help much more.
>
> --
> With regards,
> Evgeniy
>



-- 
--
With regards,
Eugene Sudyr
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list