[netsa-tools-discuss] rwflowpack with Cisco ASA (netflow9) issue
Evgeniy Sudyr
eject.in.ua at gmail.com
Thu Sep 10 17:14:49 EDT 2015
Quick update, after adding "quirks firewall-event, zero-packets" to
sensor.conf I got data captured to data directory from rwflowpack.
On Thu, Sep 10, 2015 at 10:25 PM, Evgeniy Sudyr <eject.in.ua at gmail.com>
wrote:
> Hi Mark,
>
> just to make sure that I was understood correctly - I'm getting nothing
> captured to rwflowpack data directory, but that events in logfile.
>
> I want to help such a great project, so let me ask:
>
> 1) does it help if will send capture file (pcap) with netflow v9 packets
> (including template of course)?
> 2) I can test any code changes immediately and will let you know. Do you
> have some SCM repository I can checkout / pull changes?
>
> On Thu, Sep 10, 2015 at 9:57 PM, Mark Thomas <mthomas at cert.org> wrote:
>
>> Evgeniy-
>>
>> Thank you for providing your configuration files.
>>
>> Modifying the probe block in the sensor.conf file to have the
>> additional "quirks" line shown here:
>>
>> probe P1 netflow-v9
>> listen-on-port 9996
>> protocol udp
>> accept-from-host 192.168.1.1
>> log-flags bad
>> quirks firewall-event, zero-packets
>> end probe
>>
>> should remove some of those ignored flows from the log file.
>>
>> The currently released SiLK code (v3.10.2) assumes that the ASA
>> sending the firewall event using the "NF_F_FW_EVENT" element.
>> However, it appears that Cisco has started to send these events
>> using the standard "firewallEvent" element. The patch that I
>> included in that thread fixes the issue. (The patch is in
>> http://permalink.gmane.org/gmane.comp.networking.netsa.tools/108 ).
>>
>> There is still one unresolved source of "ignored" flows that is
>> mentioned in that thread:
>>
>> The majority of the remaining flows logged as IGNORED by flowcap
>> appear to be SKIPFIX_FW_EVENT_DELETED where bytes and rev-bytes ==
>> 0. These appear to be unsuccessful connections (eg SYN to closed
>> port - so no payload bytes).
>>
>> I need to modify the code so these are also stored instead of being
>> ignored.
>>
>> -Mark
>>
>>
>> -----Original Message-----
>> From: Evgeniy Sudyr <eject.in.ua at gmail.com>
>> Date: Thu, 10 Sep 2015 18:24:23 +0200
>> To: <netsa-tools-discuss at cert.org>
>> Cc: <hephaestus.studio at gmail.com>
>> Subject: [netsa-tools-discuss] rwflowpack with Cisco ASA (netflow9) issue
>>
>> Hi I seen someone got ASA netflow working with rwflowpack there
>> http://comments.gmane.org/gmane.comp.networking.netsa.tools/107 .
>>
>> I'm trying to get it working in lab with ASA5515-X (Netflow V9), and my
>> config looks good
>> however I'm getting no data, but errors in log.
>>
>> After start rwflowpack catches template packet and starts complaining.
>>
>> Log:
>>
>> Sep 10 18:14:56 debian rwflowpack[39558]:
>> IGNORED|192.168.0.248|85.126.xx.xx|52006|80|6|0|0|no forward/reverse
>> octets|
>> Sep 10 18:14:56 debian rwflowpack[39558]:
>> IGNORED|178.124.xx.xx|185.56.xx.xx|63034|1777|6|0|65|no forward/reverse
>> packets|
>> Sep 10 18:14:56 debian rwflowpack[39558]:
>>
>>
>> I'm starting rwflowpack with:
>>
>> rwflowpack --input-mode=stream
>> --sensor-configuration=/opt/silk/sensor.conf
>> --root-directory=/opt/silk/data/ --compression-method=best
>> --site-config-file=/opt/silk/silk.conf
>> --log-destination=/opt/silk/silk.log
>>
>> $ cat silk.conf
>>
>> version 2
>> sensor 0 S0 "Description for sensor S0"
>> sensor 1 S1
>> sensor 2 S2 "Optional description for sensor S2"
>> sensor 3 S3
>> sensor 4 S4
>> sensor 5 S5
>> sensor 6 S6
>> sensor 7 S7
>> sensor 8 S8
>> sensor 9 S9
>> sensor 10 S10
>> sensor 11 S11
>> sensor 12 S12
>> sensor 13 S13
>> sensor 14 S14
>> class all
>> sensors S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14
>> end class
>> class all
>> type 0 in in
>> type 1 out out
>> type 2 inweb iw
>> type 3 outweb ow
>> type 4 innull innull
>> type 5 outnull outnull
>> type 6 int2int int2int
>> type 7 ext2ext ext2ext
>> type 8 inicmp inicmp
>> type 9 outicmp outicmp
>> type 10 other other
>> default-types in inweb inicmp
>> end class
>> default-class all
>> packing-logic "packlogic-twoway.so"
>>
>>
>> $ cat sensor.conf
>>
>> group G1
>> ipblocks 192.168.0.0/16 10.0.0.0/8
>> end group
>>
>> probe P1 netflow-v9
>> listen-on-port 9996
>> protocol udp
>> accept-from-host 192.168.1.1
>> log-flags bad
>> end probe
>>
>> sensor S0
>> netflow-v9-probes P1
>> internal-ipblocks 192.168.0.0/16 10.0.0.0/8
>> external-ipblocks remainder
>> end sensor
>>
>>
>> Any help is appreciate!
>>
>> Working configs for ASA and Netflow v9 will help much more.
>>
>> --
>> With regards,
>> Evgeniy
>>
>
>
>
> --
> --
> With regards,
> Eugene Sudyr
>
--
--
With regards,
Eugene Sudyr
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list