Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1326
Introduction to Network Discovery
Understanding NetFlow
Chapter 32
represented by NetFlow data, when the system processes NetFlow records it
uses various methods to convert that data into connection logs as well as into
host and application protocol records.
There are several differences between converted NetFlow data and the discovery
There are several differences between converted NetFlow data and the discovery
and connection data gathered directly by your managed devices. You should keep
the differences in mind when performing analysis that requires:
•
statistics on the number of detected connections
•
operating system and other host-related information (including
vulnerabilities)
•
application data, including client information, web application information,
and vendor and version server information
•
knowing which host in a connection is the initiator and which is the
responder
TIP!
For each field in a connection event, the
indicates the available data depending on whether the connection was detected
directly by Sourcefire managed devices, or if the connection event is based on
NetFlow data.
Number of Connection Events Generated Per Monitored Session
For connections detected directly by managed devices, depending on the access
control rule action, you can log a bidirectional connection event at the beginning
or end of a connection, or both.
However, because NetFlow-enabled devices export unidirectional connection
However, because NetFlow-enabled devices export unidirectional connection
data, the system always generates at least two connection events for each
connection detected by NetFlow-enabled devices, depending on how you
configured the devices. This also means that a summary’s connection count is
configured the devices. This also means that a summary’s connection count is
incremented by two for every connection based on NetFlow data, providing an
inflated count of the number of connections that are actually occurring on your
network.
Note that if you configure your NetFlow-enabled devices to output records only
Note that if you configure your NetFlow-enabled devices to output records only
when the connection ends, the system generates two connection events for that
session. On the other hand, if you configure your NetFlow-enabled devices to
output records at a fixed interval even if a connection is still ongoing, the system
generates a connection event for each record exported by the device. For
example, if you configure your NetFlow-enabled devices to output records for
long-running connections every five minutes, and a particular connection lasts
twelve minutes, the system generates six connection events for that session:
•
one pair of events for the first five minutes
•
one pair for the second five minutes
•
a final pair when the connection is terminated