



Feature #4573


add IPS drop total to eve log output

Added by Corey Thomas about 3 years ago. Updated 12 months ago.

Target version:


It would be useful to have the stats metric for total IPS drops in eve output. Probably similar to the alert count as part of suricata engine output. The field name should be clear that it's ips or alert drops.


{"timestamp":"2021-08-03T13:15:28.965147+0000","log_level":"Info","event_type":"engine","engine":{"message":"Alerts: 56893"}}
{"timestamp":"2021-08-03T13:15:28.965147+0000","log_level":"Info","event_type":"engine","engine":{"message":"IPS_Drops: 100"}}

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #4756: capture: support ips stats for all IPS capture methodsClosedVictor JulienActions
Actions #1

Updated by Victor Julien almost 3 years ago

  • Related to Feature #4756: capture: support ips stats for all IPS capture methods added
Actions #2

Updated by Jeff Lucovsky over 2 years ago

  • Target version set to TBD
Actions #3

Updated by Jeff Lucovsky 12 months ago

  • Status changed from New to In Progress
Actions #4

Updated by Jeff Lucovsky 12 months ago

  • Status changed from In Progress to In Review
Actions #5

Updated by Victor Julien 12 months ago

What is the purpose here? We have this as part of eve.stats now, isn't that enough?

Actions #6

Updated by Jeff Lucovsky 12 months ago

@Corey Thomas Does the eve stats addition meet your needs?

Actions #7

Updated by Corey Thomas 12 months ago

  • Status changed from In Review to Resolved

Jeff Lucovsky wrote in #note-6:

@Corey Thomas Does the eve stats addition meet your needs?

Yes, I think so. We have the accepted, blocked and rejected packets at the end of run.

I'll marked this as resolved. Feel free to fix or let me know if I should change something else.

  "stats": {
    "uptime": 726,
    "ips": {
      "accepted": 367085210,
      "blocked": 1395360,
      "rejected": 0,
      "replaced": 0,
      "drop_reason": {
        "decode_error": 0,
        "defrag_error": 0,
        "defrag_memcap": 0,
        "flow_memcap": 0,
        "flow_drop": 1296000,
        "applayer_error": 32400,
        "applayer_memcap": 0,
        "rules": 66960,
        "threshold_detection_filter": 0,
        "stream_error": 0,
        "stream_memcap": 0,
        "stream_midstream": 0,
        "nfq_error": 0,
        "tunnel_packet_drop": 0

Actions #8

Updated by Jeff Lucovsky 12 months ago

  • Status changed from Resolved to Rejected

Now that the eve stats contains this information, displaying a console message with the same info is no longer required.


Also available in: Atom PDF