Feature #2958
open
JL
Suricata 5.0.0beta1 and way too much anomaly logging
Description
If outputs: -> -eve-log: -> types: -> - anomaly: is enabled in suricata.yaml, eve.json gets flooded with event type anomaly.
I've seen more then 13 million of these in 5 minutes which also drastically reduces performance seen capture.kernel_drops.
capture.kernel_drops was under v4.1.3 way below 0.01% and now I see numbers like:
capture.kernel_packets | Total | 47542250
capture.kernel_drops | Total | 37202776
Event logged in eve.json: {"timestamp":"2019-05-03T09:11:57.277701+0200","in_iface":"ens2f0","event_type":"anomaly","vlan":[403],"anomaly":{"type":"packet","event":"decoder.ipv4.trunc_pkt"}} {"timestamp":"2019-05-03T09:11:55.623627+0200","in_iface":"ens2f1","event_type":"anomaly","vlan":[403],"anomaly":{"type":"packet","event":"decoder.ipv4.trunc_pkt"}}
Is it possible to limit this logging? An other option/solution?
TIA!