Project

General

Profile

Actions

Optimization #1749

open

Log PACKET_DROP in inline mode for invalid states as well

Added by Andreas Herz over 6 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
medium
Label:

Description

There are several spots like in "StreamTcpPacketStateNone" in stream-tcp.c where we drop packets if suricata is run in inline mode (NFQUEUE in my case) and we don't log anything about the packets, just increase the ips.blocked counter. While it was a faulty configuration (only one part of the connection was send into the NFQUEUE) i would still say that if we have suricata in IPS mode we should log the drops with more detail somehow, maybe use some messages we have for SCLogDebug for normal logging (drop.log for example).

Using the debug mode isn't very reasonable for a productive system but you might still end up with packet drops and want to see why they got dropped although no rule triggered.
At least we should add some output option to enable this kind of logging. Adding some lines to drop.log like "[DROP] $PACKETINFO - $REASON" shouldn't affect performance that much.

Actions #1

Updated by Victor Julien over 6 years ago

I think the first step is to add events for each of those cases, so we can match on it. Having a log could be interesting as well.

Actions #2

Updated by Victor Julien over 5 years ago

  • Assignee changed from OISF Dev to Andreas Herz
  • Target version changed from TBD to 70

Andreas can you add events for the 'silent' drops?

Actions #3

Updated by Andreas Herz over 5 years ago

Will give it a try!

Actions #4

Updated by Andreas Herz about 4 years ago

  • Assignee changed from Andreas Herz to Anonymous
  • Effort set to medium
  • Difficulty set to medium
Actions #5

Updated by Andreas Herz over 3 years ago

  • Assignee set to Community Ticket
Actions #6

Updated by Andreas Herz over 3 years ago

  • Target version changed from 70 to TBD

Would it make sense to have dedicated drop counters in the stats as well?

Actions #7

Updated by Victor Julien about 3 years ago

What would these drop counters count exactly? We do have ips.blocked as a generic drop counter (although it's only on NFQ I think, not AF_PACKET IPS)

Actions #8

Updated by Andreas Herz about 3 years ago

They are a subset of the ips.blocked so like ips.blocked."reason" so while the generic counter increasing won't be something odd a huge counter for dropped packets to some invalid traffic type might be something to be easier spot by that.

But I don't remember the specific details from back then :)

Actions #9

Updated by Victor Julien about 3 years ago

Were the events for the silent drops added?

Actions #10

Updated by Andreas Herz almost 3 years ago

Nope, not yet

Actions

Also available in: Atom PDF