robcowart
commented
5 years ago ElastiFlow doesn't do any App identification itself. It is simply providing the App ID information that may be provided in the flow records it receives.
In the case of Sophos, it provides the field seen in ElastiFlow as ipfix.sophos_afc_proto. This is an integer value that is translated using the dictionary sophos_app_id.yml. If the value is not found in this dictionary, it uses this default in the Logstash pipeline:
fallback => "Sophos: %{[ipfix][sophos_afc_proto]}"This would be the case with the Sophos: 0 value in your screenshot.
There are two Netflix-related values in the dictionary:
"327": "Netflix Site"
"328": "Netflix Video Stream"So I assume that in some form Sophos can detect this traffic. However it probably depends on methods that may be older (most likely if you are using the free "Home" version of UTM). It may be necessary to update your version of UTM, or see if it is possible to at least update the App signature definitions.
Hi together,
i have an problem with the app identifictation in elastiflow. only a few app are identified.
Version of elastiflow is 3.5.1 Version of elk is 7.3.1 Version of Sophos UTM is 9.605-1
Here is the output i see in elastiflow:
I see no netflix or other apps
I will attach an tpcdump too.
output.zip
Eventually it is an problem on the sophos utm. I don't know.
I hope you can help.
If you need more information. let me know
Greetings
Dirk