IBM Security QRadar

Expand all | Collapse all

Source and Destination Bytes show 0

  • 1.  Source and Destination Bytes show 0

    Posted Mon September 21, 2020 04:07 AM
    I have deployed QRadar and tried to configure Flow Sources in order to receive flows coming from my Firewalls. I have configured Netflow on the Firewalls and I am using the default Netflow on Qradar and left the monitoring interface to ANY.
    But the source and destination bytes are still zero with and without the (C).

    Would you please assist me on this matter?

    Many Thanks!!!

    ------------------------------
    Stephane Ramazani
    ------------------------------


  • 2.  RE: Source and Destination Bytes show 0

    Posted Tue October 06, 2020 03:57 PM
    Hello Stephane,

    (C) means you have a payload in the flow, which is not achievable using Netflow (only layer 3 headers)
    Regarding the zero source and destination bytes, I would check on the firewall which version of netflow is used.

    Regards.
    Arnaud.

    ------------------------------
    Arnaud Chemla
    Head of security consulting
    Abakus Securité
    ------------------------------



  • 3.  RE: Source and Destination Bytes show 0

    Posted Tue October 06, 2020 05:05 PM
    Hello Arnaud,

    Thanks for your feedback. 
    Not achievable using Netflow yes, but the Qflow can normally read layer 7 content and view the payload. 
    I will check on the firewall too.

    Thanks.
    Stephane

    ------------------------------
    Stephane Ramazani
    ------------------------------