[netsa-tools-discuss] rwflowpack with Cisco ASA (netflow9) issue

Evgeniy Sudyr eject.in.ua at gmail.com
Thu Sep 10 17:14:49 EDT 2015


Quick update, after adding "quirks firewall-event, zero-packets" to
sensor.conf I got data captured to data directory from rwflowpack.

On Thu, Sep 10, 2015 at 10:25 PM, Evgeniy Sudyr <eject.in.ua at gmail.com>
wrote:

> Hi Mark,
>
> just to make sure that I was understood correctly - I'm getting nothing
> captured to rwflowpack data directory, but that events in logfile.
>
> I want to help such a great project, so let me ask:
>
> 1) does it help if will send capture file (pcap) with netflow v9 packets
> (including template of course)?
> 2) I can test any code changes immediately and will let you know. Do you
> have some SCM repository I can checkout / pull changes?
>
> On Thu, Sep 10, 2015 at 9:57 PM, Mark Thomas <mthomas at cert.org> wrote:
>
>> Evgeniy-
>>
>> Thank you for providing your configuration files.
>>
>> Modifying the probe block in the sensor.conf file to have the
>> additional "quirks" line shown here:
>>
>>   probe P1 netflow-v9
>>           listen-on-port 9996
>>           protocol udp
>>           accept-from-host 192.168.1.1
>>           log-flags bad
>>           quirks firewall-event, zero-packets
>>   end probe
>>
>> should remove some of those ignored flows from the log file.
>>
>> The currently released SiLK code (v3.10.2) assumes that the ASA
>> sending the firewall event using the "NF_F_FW_EVENT" element.
>> However, it appears that Cisco has started to send these events
>> using the standard "firewallEvent" element.  The patch that I
>> included in that thread fixes the issue.  (The patch is in
>> http://permalink.gmane.org/gmane.comp.networking.netsa.tools/108 ).
>>
>> There is still one unresolved source of "ignored" flows that is
>> mentioned in that thread:
>>
>>   The majority of the remaining flows logged as IGNORED by flowcap
>>   appear to be SKIPFIX_FW_EVENT_DELETED where bytes and rev-bytes ==
>>   0.  These appear to be unsuccessful connections (eg SYN to closed
>>   port - so no payload bytes).
>>
>> I need to modify the code so these are also stored instead of being
>> ignored.
>>
>> -Mark
>>
>>
>> -----Original Message-----
>> From: Evgeniy Sudyr <eject.in.ua at gmail.com>
>> Date: Thu, 10 Sep 2015 18:24:23 +0200
>> To: <netsa-tools-discuss at cert.org>
>> Cc: <hephaestus.studio at gmail.com>
>> Subject: [netsa-tools-discuss] rwflowpack with Cisco ASA (netflow9) issue
>>
>> Hi I seen someone got ASA netflow working with rwflowpack there
>> http://comments.gmane.org/gmane.comp.networking.netsa.tools/107 .
>>
>> I'm trying to get it working in lab with ASA5515-X (Netflow V9), and my
>> config looks good
>> however I'm getting no data, but errors in log.
>>
>> After start rwflowpack catches template packet and starts complaining.
>>
>> Log:
>>
>> Sep 10 18:14:56 debian rwflowpack[39558]:
>> IGNORED|192.168.0.248|85.126.xx.xx|52006|80|6|0|0|no forward/reverse
>> octets|
>> Sep 10 18:14:56 debian rwflowpack[39558]:
>> IGNORED|178.124.xx.xx|185.56.xx.xx|63034|1777|6|0|65|no forward/reverse
>> packets|
>> Sep 10 18:14:56 debian rwflowpack[39558]:
>>
>>
>> I'm starting rwflowpack with:
>>
>> rwflowpack --input-mode=stream
>> --sensor-configuration=/opt/silk/sensor.conf
>> --root-directory=/opt/silk/data/ --compression-method=best
>> --site-config-file=/opt/silk/silk.conf
>> --log-destination=/opt/silk/silk.log
>>
>> $ cat silk.conf
>>
>> version 2
>> sensor 0 S0    "Description for sensor S0"
>> sensor 1 S1
>> sensor 2 S2    "Optional description for sensor S2"
>> sensor 3 S3
>> sensor 4 S4
>> sensor 5 S5
>> sensor 6 S6
>> sensor 7 S7
>> sensor 8 S8
>> sensor 9 S9
>> sensor 10 S10
>> sensor 11 S11
>> sensor 12 S12
>> sensor 13 S13
>> sensor 14 S14
>> class all
>>     sensors S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14
>> end class
>> class all
>>     type  0 in      in
>>     type  1 out     out
>>     type  2 inweb   iw
>>     type  3 outweb  ow
>>     type  4 innull  innull
>>     type  5 outnull outnull
>>     type  6 int2int int2int
>>     type  7 ext2ext ext2ext
>>     type  8 inicmp  inicmp
>>     type  9 outicmp outicmp
>>     type 10 other   other
>>     default-types in inweb inicmp
>> end class
>> default-class all
>> packing-logic "packlogic-twoway.so"
>>
>>
>> $ cat sensor.conf
>>
>> group G1
>>      ipblocks 192.168.0.0/16 10.0.0.0/8
>> end group
>>
>> probe P1 netflow-v9
>>         listen-on-port 9996
>>         protocol udp
>>         accept-from-host 192.168.1.1
>>         log-flags bad
>> end probe
>>
>> sensor S0
>>       netflow-v9-probes P1
>>       internal-ipblocks 192.168.0.0/16 10.0.0.0/8
>>       external-ipblocks remainder
>> end sensor
>>
>>
>> Any help is appreciate!
>>
>> Working configs for ASA and Netflow v9 will help much more.
>>
>> --
>> With regards,
>> Evgeniy
>>
>
>
>
> --
> --
> With regards,
> Eugene Sudyr
>



-- 
--
With regards,
Eugene Sudyr
-------------- next part --------------
HTML attachment scrubbed and removed


More information about the netsa-tools-discuss mailing list