topic Lot of 'insufficient-data' in General Topics

Lot of 'insufficient-data'

oschuler — Fri, 13 Jul 2012 22:38:25 GMT

Hello,

We see a lot of 'insufficient-data' traffic on our firewall and we couldn't find any reason so far. Does anyone have a good idea on how we can troubleshoot the issue?

If we click on the insufficient-data bar we get redirected to the ACC but it doesn't show much there...

Thanks,

Oliver

Re: Lot of 'insufficient-data'

apasupulati — Sat, 14 Jul 2012 00:50:02 GMT

Insufficient data in the application field usually means that there was not enough data to identify the application. For example, if the 3-way TCP handshake was completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log.

You can try to filter the traffic logs based on the application filter set to 'Insufficient data' and see what traffic it is.

You can refer to this doc:

Incomplete, Insufficient data and Not-applicable in the application field

Re: Lot of 'insufficient-data'

oschuler — Sat, 14 Jul 2012 13:23:14 GMT

Thank you. We tried that already. When we filter for 'insufficient-data' for the time frame above (18:30 - 00:30) we get a result set of only 41 rows. Each row reports only ~900 bytes up to 1.5 KB of data. If we sum that up, we get a maximum of 60 KB of insufficient data for these 6 hours.

If you look at the amount of insufficient-data in the first picture, you see that there are more than 2 GB of insufficient data in the mentioned time frame...

Re: Lot of 'insufficient-data'

jdelio — Thu, 19 Jul 2012 20:26:30 GMT

As much as I hate to say it, the "insufficient data" is showing up because part of the traffic is being dropped, and thus it is unable to determine what app is really being used.

Sometimes creating an "open" rule to allow the traffic, monitoring for that traffic, properly identifying the traffic, and then allow the traffic being specific helps.

This is because we do not look at the TCP handshake to determine what app is being used.. so that might work, but not the true "data", thus it shows up as Insuffient data.

Re: Lot of 'insufficient-data'

oschuler — Mon, 23 Jul 2012 12:16:33 GMT

Hmm, so that means we'd have to set our last rule (Deny and log everything else) to "allow"? Sounds not like a charming solution, hehe :smileygrin:

Re: Lot of 'insufficient-data'

jdelio — Tue, 24 Jul 2012 12:30:43 GMT

It is only recommended to do that for a short period of time. Sort of a Discovery of the network. Then you can narrow down the rule to just what you want/need.

Re: Lot of 'insufficient-data'

oschuler — Tue, 24 Jul 2012 18:35:53 GMT

Okay, we'll try that the next weekend. I'll post the result here next week.