Suricata

Suricata 7 introduces useful new drop_reason stats counters, but the actual drop reasons aren't reflected in the counters when packets dropped are encapsulated inside a tunnel. In our case, our infrastructure uses a Geneve tunnel layer and Suricata inspects the encapsulated packets inside. However, when Suricata makes a drop decision on one of the inner packets, that decision is not reflected in any of the drop_reason counters except for "tunnel_packet_drop".

We recently investigated a case where packets were being dropped by the app-layer exception policy, but investigating was difficult because drops were only reflected under the opaque "tunnel_packet_drop" counter:

drop_reason:{
    ...
    applayer_error:0,
    applayer_error_delta:0,
    ...
    tunnel_packet_drop:139,
    tunnel_packet_drop_delta:139
}

Replaying similar traffic without the geneve encapsulation layer, the stats are much more useful and directly identify the cause:

drop_reason:{
    ...
    applayer_error:3,
    applayer_error_delta:3,
    ...
    tunnel_packet_drop:0,
    tunnel_packet_drop_delta:0
}