Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3556
Views
0
Helpful
7
Replies

Stealthwatch - Endpoint Concentrator - Process Name for Unidirectional Flows

dlucas
Level 1
Level 1

‎09-05-2019 12:49 PM

I have a situation in which I am trying to determine what process is generating periodic UDP Netbios traffic from several workstations destined to a non-DC server. This traffic is getting blocked by my firewall, so the traffic is only observed leaving the endpoint, i.e. no return traffic is received by the endpoint. I have the Endpoint Concentrator setup, and is receiving flows from the endpoint - I can see process names for other flows, but not for this particular traffic. In fact, when filtering my search to only this traffic from my endpoint concentrator I do not see the flow at all. So it appears that the endpoint isn't sending a flow record for this traffic - could this be because the traffic is unidirectional? I would hope not, but can't see any other explanation why I see flows from my endpoint concentrator for other traffic.

 

-Thanks

Labels:
0 Helpful
7 Replies 7

hanjabbo
Cisco Employee
Cisco Employee

‎09-08-2019 12:07 AM

@dlucas is there any network device that is exporting network flows for that specific traffic before getting it blocked by the Firewall ? 

 

0 Helpful

dlucas
Level 1
Level 1
In response to hanjabbo

‎09-09-2019 11:05 AM

Yes, I see the flows from other devices - but if I limit my search to only flows coming from my Endpoint Concentrator I do not see them.
0 Helpful

dlucas
Level 1
Level 1

‎09-09-2019 11:46 AM

After looking at more flows - I am also not getting a process name reported for some other flows as well. Haven't been able to identify a pattern to them - the bulk of my flows have a process name associate, but a noticeable percentage does not. Any idea why I would be getting a process name for some and not others? When I filter my search to only flows coming from the Endpoint Concentrator I see a process associated to all flows - when I add to that filter and search for traffic without a process name & coming from the Endpoint Concentrator I get nothing - it is as if the Anyconnect NVM isn't sending a flow record for everything for some reason.
0 Helpful

hanjabbo
Cisco Employee
Cisco Employee
In response to dlucas

‎09-09-2019 09:45 PM

The rules applied when flows are coming from NVM:

 

"The Flows from an endpoint concentrator will be consumed and stitched only if they match with a related flow from a network device for the same conversation" if they don't they will be dropped.

 

"Flows from the an NVM are only generated from an endpoint if it is the source of the traffic and only at the end of the session"

 

by applying these rules this could explain the behavior you are seeing.

0 Helpful

dlucas
Level 1
Level 1
In response to hanjabbo

‎09-10-2019 05:58 AM

Thanks for the reply,

 

"The Flows from an endpoint concentrator will be consumed and stitched only if they match with a related flow from a network device for the same conversation" if they don't they will be dropped."

 

I see the flows from other devices in my searches, so I know it's not because of this.

 

"Flows from the an NVM are only generated from an endpoint if it is the source of the traffic and only at the end of the session"

 

According to the Anyconnect config guide, there is a setting that controls this behavior - I currently have this enabled, and set to 60 seconds, so I should be receiving flow information at the beginning, every 60 seconds, and at the end of the session:

 

"Periodic Flow Reporting(Optional, applies to desktop only)—Click to enable periodic flow reporting. By default, NVM sends information about the flow at the end of connection (when this option is disabled). If you need periodic information on the flows even before they are closed, set an interval in seconds here. The value of 0 means the flow information is sent at the beginning and at the end of each flow. If the value is n, the flow information will be sent at the beginning, every n seconds, and at the end of each flow. Use this setting for tracking long-running connections, even before they are closed. "

 

I am going to try setting the periodic interval to 0, and see if that makes a difference..

0 Helpful

dlucas
Level 1
Level 1
In response to dlucas

‎09-13-2019 11:56 AM

Doesn't appear to have made a difference - still not seeing the process name for some of the endpoint flows
0 Helpful

hanjabbo
Cisco Employee
Cisco Employee
In response to dlucas

‎09-15-2019 10:19 PM

HI dlucas, 

 

it seems from the other post for the same subject by you shows that the traffic has been denied by the firewall, all other flows not denied you can see the process. This is what I was trying to detail before, the endpoint flow has to has a related netflow record from the network, if the firewall has blocked it and no netflow record from the network is related to the same conversation the end point flows will not be considered. 


Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents