Lot of 'insufficient-data'

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Lot of 'insufficient-data'

L4 Transporter

Hello,

We see a lot of 'insufficient-data' traffic on our firewall and we couldn't find any reason so far. Does anyone have a good idea on how we can troubleshoot the issue?

If we click on the insufficient-data bar we get redirected to the ACC but it doesn't show much there...

Insufficient-data.jpg

Insufficient-data2.jpg

Thanks,

Oliver

6 REPLIES 6

L4 Transporter

Insufficient data in the application field usually means that there was not enough data to identify the application. For example, if the 3-way TCP handshake was completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log.


You can try to filter the traffic logs based on the application filter set to 'Insufficient data' and see what traffic it is.

You can refer to this doc:

Incomplete, Insufficient data and Not-applicable in the application field

Thank you. We tried that already. When we filter for 'insufficient-data' for the time frame above (18:30 - 00:30) we get a result set of only 41 rows. Each row reports only ~900 bytes up to 1.5 KB of data. If we sum that up, we get a maximum of 60 KB of insufficient data for these 6 hours.

If you look at the amount of insufficient-data in the first picture, you see that there are more than 2 GB of insufficient data in the mentioned time frame...

As much as I hate to say it, the "insufficient data" is showing up because part of the traffic is being dropped, and thus it is unable to determine what app is really being used.

Sometimes creating an "open" rule to allow the traffic, monitoring for that traffic, properly identifying the traffic, and then allow the traffic being specific helps.

This is because we do not look at the TCP handshake to determine what app is being used.. so that might work, but not the true "data", thus it shows up as Insuffient data.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hmm, so that means we'd have to set our last rule (Deny and log everything else) to "allow"? Sounds not like a charming solution, hehe :smileygrin:

It is only recommended to do that for a short period of time. Sort of a Discovery of the network.  Then you can narrow down the rule to just what you want/need.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Okay, we'll try that the next weekend. I'll post the result here next week.

  • 6713 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!