https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022016-06-15T05:10:27ZOpen Information Security FoundationSuricata - Optimization #1749: Log PACKET_DROP in inline mode for invalid states as wellhttps://redmine.openinfosecfoundation.org/issues/1749?journal_id=69452016-06-15T05:10:27ZVictor Julienvictor@inliniac.net
<ul></ul><p>I think the first step is to add events for each of those cases, so we can match on it. Having a log could be interesting as well.</p> Suricata - Optimization #1749: Log PACKET_DROP in inline mode for invalid states as wellhttps://redmine.openinfosecfoundation.org/issues/1749?journal_id=79112017-02-10T03:53:05ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Andreas Herz</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>70</i></li></ul><p>Andreas can you add events for the 'silent' drops?</p> Suricata - Optimization #1749: Log PACKET_DROP in inline mode for invalid states as wellhttps://redmine.openinfosecfoundation.org/issues/1749?journal_id=79322017-02-10T16:42:53ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>Will give it a try!</p> Suricata - Optimization #1749: Log PACKET_DROP in inline mode for invalid states as wellhttps://redmine.openinfosecfoundation.org/issues/1749?journal_id=101802018-08-13T21:01:15ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> changed from <i>Andreas Herz</i> to <i>Anonymous</i></li><li><strong>Effort</strong> set to <i>medium</i></li><li><strong>Difficulty</strong> set to <i>medium</i></li></ul> Suricata - Optimization #1749: Log PACKET_DROP in inline mode for invalid states as wellhttps://redmine.openinfosecfoundation.org/issues/1749?journal_id=112312019-02-23T22:18:04ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>Community Ticket</i></li></ul> Suricata - Optimization #1749: Log PACKET_DROP in inline mode for invalid states as wellhttps://redmine.openinfosecfoundation.org/issues/1749?journal_id=122952019-05-28T21:12:43ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Target version</strong> changed from <i>70</i> to <i>TBD</i></li></ul><p>Would it make sense to have dedicated drop counters in the stats as well?</p> Suricata - Optimization #1749: Log PACKET_DROP in inline mode for invalid states as wellhttps://redmine.openinfosecfoundation.org/issues/1749?journal_id=128282019-07-08T09:24:53ZVictor Julienvictor@inliniac.net
<ul></ul><p>What would these drop counters count exactly? We do have ips.blocked as a generic drop counter (although it's only on NFQ I think, not AF_PACKET IPS)</p> Suricata - Optimization #1749: Log PACKET_DROP in inline mode for invalid states as wellhttps://redmine.openinfosecfoundation.org/issues/1749?journal_id=128442019-07-08T20:20:59ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>They are a subset of the ips.blocked so like ips.blocked."reason" so while the generic counter increasing won't be something odd a huge counter for dropped packets to some invalid traffic type might be something to be easier spot by that.</p>
<p>But I don't remember the specific details from back then :)</p> Suricata - Optimization #1749: Log PACKET_DROP in inline mode for invalid states as wellhttps://redmine.openinfosecfoundation.org/issues/1749?journal_id=140252019-09-27T13:21:33ZVictor Julienvictor@inliniac.net
<ul></ul><p>Were the events for the silent drops added?</p> Suricata - Optimization #1749: Log PACKET_DROP in inline mode for invalid states as wellhttps://redmine.openinfosecfoundation.org/issues/1749?journal_id=140902019-10-01T22:21:23ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>Nope, not yet</p>