Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - marianh

Pages1
#1
General Discussion / Missing MAC addresses in NetFlow exports
June 28, 2017, 09:26:59 AM
Version of OPNsense 16.7.
Problem: cannot find source MAC and destination MAC in NetFlow exports.
Suggested solution: add mac address fields (IN_SRC_MAC, OUT_DST_MAC) in NetFlow v9 template.

Packet capture of the export:

Cisco NetFlow/IPFIX
    Version: 9
    Count: 23
    SysUptime: 1118038.000000000 seconds
    Timestamp: Jun 28, 2017 09:14:14.000000000 Central Europe Daylight Time
    FlowSequence: 11277
    SourceId: 0
    FlowSet 1 [id=256] (10 flows)
        FlowSet Id: (Data) (256)
        FlowSet Length: 576
        [Template Frame: 1]
        Flow 1
            SrcAddr: 10.100.1.70
            DstAddr: 10.100.0.1
            NextHop: 130.41.41.199
            InputInt: 2
            OutputInt: 7
            Packets: 1
            Octets: 63
            Post Packets: 0
            Post Octets: 0
            [Duration: 0.000000000 seconds (switched)]
                StartTime: 1118016.000000000 seconds
                EndTime: 1118016.000000000 seconds
            SrcPort: 55738
            DstPort: 53
            TCP Flags: 0x00
                00.. .... = Reserved: 0x0
                ..0. .... = URG: Not used
                ...0 .... = ACK: Not used
                .... 0... = PSH: Not used
                .... .0.. = RST: Not used
                .... ..0. = SYN: Not used
                .... ...0 = FIN: Not used
            Protocol: UDP (17)
            IP ToS: 0x00
            SrcAS: 0
            DstAS: 0
            SrcMask: 16
            DstMask: 32


Capture of sent Netflow template:

Cisco NetFlow/IPFIX
    Version: 9
    Count: 23
    SysUptime: 1117945.000000000 seconds
    Timestamp: Jun 28, 2017 09:12:41.000000000 Central Europe Daylight Time
    FlowSequence: 11272
    SourceId: 0
    FlowSet 1 [id=0] (Data Template): 256,259
        FlowSet Id: Data Template (V9) (0)
        FlowSet Length: 172
        Template (Id = 256, Count = 20)
            Template Id: 256
            Field Count: 20
            Field (1/20): IP_SRC_ADDR
            Field (2/20): IP_DST_ADDR
            Field (3/20): IP_NEXT_HOP
            Field (4/20): INPUT_SNMP
            Field (5/20): OUTPUT_SNMP
            Field (6/20): PKTS
            Field (7/20): BYTES
            Field (8/20): OUT_PKTS
            Field (9/20): OUT_BYTES
            Field (10/20): FIRST_SWITCHED
            Field (11/20): LAST_SWITCHED
            Field (12/20): L4_SRC_PORT
            Field (13/20): L4_DST_PORT
            Field (14/20): TCP_FLAGS
            Field (15/20): PROTOCOL
            Field (16/20): IP_TOS
            Field (17/20): SRC_AS
            Field (18/20): DST_AS
            Field (19/20): SRC_MASK
            Field (20/20): DST_MASK
#2
16.7 Legacy Series / Re: Netflow export IP address
June 27, 2017, 02:41:58 PM
Quote from: mimugmail on June 27, 2017, 02:04:14 PM
Push "Tab" or "Space" after adding the ip address ... known "bug/limitation"
Thanks, that was it. BTW, push = press to avoid misunderstanding.
#3
16.7 Legacy Series / [SOLVED] Netflow export IP address
June 27, 2017, 02:03:03 PM
Whenever I add or change IP address in Reporting -> NetFlow -> Destinations it reverts back to 127.0.0.1:2056 (if Capture local is checked) or to blank string (if Capture local is unchecked).
Does the system accept custom IP for NetFlow data recipient?
#4
16.7 Legacy Series / Re: IPS cut off GUI access from WAN
September 08, 2016, 06:34:16 AM
Hi, AdSchellevis

as I wrote in my first post, I already have intel-em-kmod (7.6.2) in my system.
#5
16.7 Legacy Series / IPS cut off GUI access from WAN
September 07, 2016, 09:48:38 AM
Enabling IPS cut off GUI access from WAN. Only solution is to kill suricata process.
Cut off - ping from OPNsense to upstream gateway works but I cannot access GUI (connection timeout).
NIC: em0 - Intel Pro/1000 7.6.1 also 7.6.2.
Offloads completely disabled. No IPS rulesets loaded. No alerts.
I did packet capture and it seems that OPNsense and my workstation communicates.

Enabling IPS:
Sep 7 09:27:33    kernel: 253.050654 [ 274] generic_find_num_queues called, in txq 0 rxq 0
Sep 7 09:27:33    kernel: 253.036456 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
Sep 7 09:27:33    kernel: 253.022228 [ 798] generic_netmap_dtor Restored native NA 0
Sep 7 09:27:33    kernel: 253.008023 [ 274] generic_find_num_queues called, in txq 0 rxq 0
Sep 7 09:27:33    kernel: 252.996591 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
Sep 7 09:27:33    kernel: 252.979590 [ 798] generic_netmap_dtor Restored native NA 0
Sep 7 09:27:33    kernel: 252.965387 [1233] netmap_mem_global_config reconfiguring
Sep 7 09:27:33    kernel: 252.951174 [ 274] generic_find_num_queues called, in txq 0 rxq 0
Sep 7 09:27:33    kernel: 252.931346 [ 266] generic_find_num_desc called, in tx 1024 rx 1024


Disabling IPS:
Sep 7 09:28:49    kernel: 329.427691 [ 798] generic_netmap_dtor Restored native NA 0
Pages1