Symptom
Multiple events in stealthwatch are being incorrectly being reported. For example a "block" action observed in the FMC connection events shows up as "permitted" in stealthwatch
We noticed that this was only happening with flows that went through snort, testing with a prefilter rule the firewall event reported through netflow was correct. Which makes sense, as LINA and Snort are separate, and for traffic destined to Snort there will be a LINA rule that technically allows the traffic first, which results in the incorrect netflow "firewall event"
Conditions
Version: 6.4.0.9
Model: Cisco Firepower 4110 Threat Defense
Active Snort Version: 2.9.14.9-15906
