Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - marianh

Pages: [1]

General Discussion / Missing MAC addresses in NetFlow exports

« on: June 28, 2017, 09:26:59 am »

Version of OPNsense 16.7.
Problem: cannot find source MAC and destination MAC in NetFlow exports.
Suggested solution: add mac address fields (IN_SRC_MAC, OUT_DST_MAC) in NetFlow v9 template.

Packet capture of the export:
Cisco NetFlow/IPFIX Version: 9 Count: 23 SysUptime: 1118038.000000000 seconds Timestamp: Jun 28, 2017 09:14:14.000000000 Central Europe Daylight Time FlowSequence: 11277 SourceId: 0 FlowSet 1 [id=256] (10 flows) FlowSet Id: (Data) (256) FlowSet Length: 576 [Template Frame: 1] Flow 1 SrcAddr: 10.100.1.70 DstAddr: 10.100.0.1 NextHop: 130.41.41.199 InputInt: 2 OutputInt: 7 Packets: 1 Octets: 63 Post Packets: 0 Post Octets: 0 [Duration: 0.000000000 seconds (switched)] StartTime: 1118016.000000000 seconds EndTime: 1118016.000000000 seconds SrcPort: 55738 DstPort: 53 TCP Flags: 0x00 00.. .... = Reserved: 0x0 ..0. .... = URG: Not used ...0 .... = ACK: Not used .... 0... = PSH: Not used .... .0.. = RST: Not used .... ..0. = SYN: Not used .... ...0 = FIN: Not used Protocol: UDP (17) IP ToS: 0x00 SrcAS: 0 DstAS: 0 SrcMask: 16 DstMask: 32

Capture of sent Netflow template:
Cisco NetFlow/IPFIX Version: 9 Count: 23 SysUptime: 1117945.000000000 seconds Timestamp: Jun 28, 2017 09:12:41.000000000 Central Europe Daylight Time FlowSequence: 11272 SourceId: 0 FlowSet 1 [id=0] (Data Template): 256,259 FlowSet Id: Data Template (V9) (0) FlowSet Length: 172 Template (Id = 256, Count = 20) Template Id: 256 Field Count: 20 Field (1/20): IP_SRC_ADDR Field (2/20): IP_DST_ADDR Field (3/20): IP_NEXT_HOP Field (4/20): INPUT_SNMP Field (5/20): OUTPUT_SNMP Field (6/20): PKTS Field (7/20): BYTES Field (8/20): OUT_PKTS Field (9/20): OUT_BYTES Field (10/20): FIRST_SWITCHED Field (11/20): LAST_SWITCHED Field (12/20): L4_SRC_PORT Field (13/20): L4_DST_PORT Field (14/20): TCP_FLAGS Field (15/20): PROTOCOL Field (16/20): IP_TOS Field (17/20): SRC_AS Field (18/20): DST_AS Field (19/20): SRC_MASK Field (20/20): DST_MASK

16.7 Legacy Series / [SOLVED] Netflow export IP address

« on: June 27, 2017, 02:03:03 pm »

Whenever I add or change IP address in Reporting -> NetFlow -> Destinations it reverts back to 127.0.0.1:2056 (if Capture local is checked) or to blank string (if Capture local is unchecked).
Does the system accept custom IP for NetFlow data recipient?

16.7 Legacy Series / IPS cut off GUI access from WAN

« on: September 07, 2016, 09:48:38 am »

Enabling IPS cut off GUI access from WAN. Only solution is to kill suricata process.
Cut off - ping from OPNsense to upstream gateway works but I cannot access GUI (connection timeout).
NIC: em0 - Intel Pro/1000 7.6.1 also 7.6.2.
Offloads completely disabled. No IPS rulesets loaded. No alerts.
I did packet capture and it seems that OPNsense and my workstation communicates.

Enabling IPS:Sep 7 09:27:33 kernel: 253.050654 [ 274] generic_find_num_queues called, in txq 0 rxq 0 Sep 7 09:27:33 kernel: 253.036456 [ 266] generic_find_num_desc called, in tx 1024 rx 1024 Sep 7 09:27:33 kernel: 253.022228 [ 798] generic_netmap_dtor Restored native NA 0 Sep 7 09:27:33 kernel: 253.008023 [ 274] generic_find_num_queues called, in txq 0 rxq 0 Sep 7 09:27:33 kernel: 252.996591 [ 266] generic_find_num_desc called, in tx 1024 rx 1024 Sep 7 09:27:33 kernel: 252.979590 [ 798] generic_netmap_dtor Restored native NA 0 Sep 7 09:27:33 kernel: 252.965387 [1233] netmap_mem_global_config reconfiguring Sep 7 09:27:33 kernel: 252.951174 [ 274] generic_find_num_queues called, in txq 0 rxq 0 Sep 7 09:27:33 kernel: 252.931346 [ 266] generic_find_num_desc called, in tx 1024 rx 1024

Disabling IPS:Sep 7 09:28:49 kernel: 329.427691 [ 798] generic_netmap_dtor Restored native NA 0

Pages: [1]