9 Replies Latest reply on Feb 15, 2016 9:57 AM by santintel10

    How I can configure Netflow on my SIEM?

    santintel10

      Hi,

       

      I have configure Netflow on my router (Cisco) such us:

       

      ROUTER01>sh ip flow ex

      Flow export v9 is enabled for main cache

      Export source and destination details :

        VRF ID : Default

        Source(1) 10.10.10.1 (Loopback1)

        Destination(1)  192.168.0.10 (9993)

       

      My SIEM is so:

       

      netflow.PNG

       

      IP Address is 10.10.10.1

       

       

      Also I'm receiving packets, because I have put tcpdump and I'm seeing traffic, that so:

       

      McAfee-ENMELM-5600 ~ # tcpdump -i eth1 port 9993

      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

      listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes

      14:15:21.315216 IP 10.10.10.1.65124 > 192.168.0.10.palace-4: UDP, length 1416

      14:15:21.315524 IP 10.10.10.1.65124 > 192.168.0.10.palace-4: UDP, length 1416

      14:15:21.315960 IP 10.10.10.1.65124 > 192.168.0.10.palace-4: UDP, length 1404

      14:15:21.316303 IP 10.10.10.1.65124 > 192.168.0.10.palace-4: UDP, length 1416

      14:15:21.320414 IP 10.10.10.1.65124 > 192.168.0.10.palace-4: UDP, length 1416

      14:15:21.321822 IP 10.10.10.1.65124 > 192.168.0.10.palace-4: UDP, length 1416



      So, on the Router I have event of Netflow also, you can show here:


      id 111206/s**,vsys 0,flag 00000040/0000/0001/0000,policy 1382,time 6, dip 0 module 0

      if 12(nspflag 800801):10.10.10.1/53604->192.168.0.10/9993,17,c464139ebd80,sess token 23,vlan 0,tun 0,vsd 0,route 48662

      if 0(nspflag 800800):10.10.10.1/53604->192.168.0.10/9993,17,001e67c29e04,sess token 3,vlan 0,tun 0,vsd 0,route 1

      id 139363/s**,vsys 0,flag 00000040/0000/0001/0000,policy 1382,time 6, dip 0 module 0

      if 12(nspflag 800801):10.10.10.1/53604->192.168.0.10/9993,17,c464139ebd80,sess token 23,vlan 0,tun 0,vsd 0,route 48682



      I haven't event on my SIEM


      event.PNG


      So, can you help me about this issue, please????

       

      Let me know if you need more info

       

       

      Thanks