Project

General

Profile

Actions
Copy link

Feature #4573

closed
CT JL

add IPS drop total to eve log output

Feature #4573: add IPS drop total to eve log output

Added by Corey Thomas over 4 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
TBD
Effort:
Difficulty:
Label:

Description

It would be useful to have the stats metric for total IPS drops in eve output. Probably similar to the alert count as part of suricata engine output. The field name should be clear that it's ips or alert drops.

e.g.

{"timestamp":"2021-08-03T13:15:28.965147+0000","log_level":"Info","event_type":"engine","engine":{"message":"Alerts: 56893"}}
{"timestamp":"2021-08-03T13:15:28.965147+0000","log_level":"Info","event_type":"engine","engine":{"message":"IPS_Drops: 100"}}

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #4756: capture: support ips stats for all IPS capture methodsClosedVictor JulienActions

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #1

  • Related to Feature #4756: capture: support ips stats for all IPS capture methods added

JL Updated by Jeff Lucovsky almost 4 years ago Actions
Copy link
 #2

  • Target version set to TBD

JL Updated by Jeff Lucovsky over 2 years ago Actions
Copy link
 #3

  • Status changed from New to In Progress

JL Updated by Jeff Lucovsky over 2 years ago Actions
Copy link
 #4

  • Status changed from In Progress to In Review

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
 #5

What is the purpose here? We have this as part of eve.stats now, isn't that enough?

JL Updated by Jeff Lucovsky over 2 years ago Actions
Copy link
 #6

@Corey Thomas Does the eve stats addition meet your needs?

CT Updated by Corey Thomas over 2 years ago Actions
Copy link
 #7

  • Status changed from In Review to Resolved

Jeff Lucovsky wrote in #note-6:

@Corey Thomas Does the eve stats addition meet your needs?

Yes, I think so. We have the accepted, blocked and rejected packets at the end of run.

I'll marked this as resolved. Feel free to fix or let me know if I should change something else.

  "stats": {
    "uptime": 726,
    "ips": {
      "accepted": 367085210,
      "blocked": 1395360,
      "rejected": 0,
      "replaced": 0,
      "drop_reason": {
        "decode_error": 0,
        "defrag_error": 0,
        "defrag_memcap": 0,
        "flow_memcap": 0,
        "flow_drop": 1296000,
        "applayer_error": 32400,
        "applayer_memcap": 0,
        "rules": 66960,
        "threshold_detection_filter": 0,
        "stream_error": 0,
        "stream_memcap": 0,
        "stream_midstream": 0,
        "nfq_error": 0,
        "tunnel_packet_drop": 0
      }

JL Updated by Jeff Lucovsky over 2 years ago Actions
Copy link
 #8

  • Status changed from Resolved to Rejected

Now that the eve stats contains this information, displaying a console message with the same info is no longer required.

Actions
Copy link

Also available in: PDF Atom