https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022017-10-10T03:22:33ZOpen Information Security FoundationSuricata - Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can't output.In the same time, in the stats.log this can outputhttps://redmine.openinfosecfoundation.org/issues/2225?journal_id=86802017-10-10T03:22:33ZVictor Julienvictor@inliniac.net
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/8680/diff?detail_id=9040">diff</a>)</li><li><strong>Priority</strong> changed from <i>High</i> to <i>Normal</i></li></ul> Suricata - Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can't output.In the same time, in the stats.log this can outputhttps://redmine.openinfosecfoundation.org/issues/2225?journal_id=86812017-10-10T07:32:46ZSascha Steinbiss
<ul></ul><p>Looks like this is a result of having both <code>decoder.ipv4</code> and <code>decoder.ipv4.trunc_pkt</code>. Since JSON object structure is determined from the dotted counter names (interpreting them as 'paths' into the structure to construct) this would be a situation where there would be a conflict between <code>decoder.ipv4</code> being created as a literal number first but one would need to make a sub-object for <code>decoder.ipv4.trunc_pkt</code>.</p>
<p>So I guess one would either need to rename <code>decoder.ipv4</code> to <code>decoder.ipv4.count</code> or <code>decoder.ipv4.trunc_pkt</code> to <code>decoder.trunc_pkt.ipv4</code> (or something like that).</p> Suricata - Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can't output.In the same time, in the stats.log this can outputhttps://redmine.openinfosecfoundation.org/issues/2225?journal_id=86822017-10-11T05:03:44ZSascha Steinbiss
<ul></ul><p>BTW, this could be a problem in various other places as well. Here's a list of counters where a literal value would be referred to by the same JSON key as a sub-object:</p>
<pre><code class="text syntaxhl" data-language="text">$ tail -n 50000 /tmp/stats.log | cut -f1 -d' ' | sort | uniq | fgrep . > counters_all.txt
$ for v in `cat counters_all.txt`; do echo $v; fgrep $v. counters_all.txt| wc -l; done | egrep -B1 '^[1-9][0-9]*$'
decoder.erspan
3
--
decoder.ethernet
1
--
decoder.gre
15
--
decoder.icmpv4
5
--
decoder.icmpv6
8
--
decoder.ipv4
16
--
decoder.ipv6
30
--
decoder.mpls
5
--
decoder.ppp
6
--
decoder.pppoe
3
--
decoder.sctp
1
--
decoder.sll
1
--
decoder.tcp
5
--
decoder.udp
3
--
decoder.vlan
3
</code></pre> Suricata - Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can't output.In the same time, in the stats.log this can outputhttps://redmine.openinfosecfoundation.org/issues/2225?journal_id=86942017-10-12T16:41:30ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>OISF Dev</i></li><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can't output.In the same time, in the stats.log this can outputhttps://redmine.openinfosecfoundation.org/issues/2225?journal_id=87022017-10-13T01:53:59ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Jason Ish</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>70</i></li></ul><p>Probably the best is to avoid the name collisions by putting the events in as 'decoder.event.ipv4.trunc_pkt or similar.</p> Suricata - Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can't output.In the same time, in the stats.log this can outputhttps://redmine.openinfosecfoundation.org/issues/2225?journal_id=108272019-01-24T09:16:09ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> changed from <i>Jason Ish</i> to <i>Victor Julien</i></li><li><strong>Target version</strong> changed from <i>70</i> to <i>4.1.3</i></li></ul> Suricata - Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can't output.In the same time, in the stats.log this can outputhttps://redmine.openinfosecfoundation.org/issues/2225?journal_id=108622019-02-08T10:44:28ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/3625">https://github.com/OISF/suricata/pull/3625</a></p> Suricata - Bug #2225: when stats info dumping in redis,the decoder.ipv4.trunc_pkt can't output.In the same time, in the stats.log this can outputhttps://redmine.openinfosecfoundation.org/issues/2225?journal_id=134342019-08-30T15:23:23ZVictor Julienvictor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-5 status-5 priority-4 priority-default closed" href="/issues/3135">Task #3135</a>: counters: new default for decoder events</i> added</li></ul>