Project

General

Profile

Actions

Feature #751

closed

Add invalid packet counter

Added by Eric Leblond almost 12 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

To be able to detect bad interface setting, it could be interesting to add a per-interface invalid counter.

Actions #1

Updated by Victor Julien almost 12 years ago

  • Status changed from New to Assigned
  • Assignee set to Eric Leblond
  • Target version set to 1.4.1
Actions #2

Updated by Eric Leblond almost 12 years ago

There is no inheritance of failure between Decode functions and these functions are chained: DecodePcap->DecodeEthernet->DecodeVlan->DecodeIpv4 to mention a simple example chain.
So, to detect a decoding failure, it seems we need to update all the functions. An alternative could be to check the value of header pointers (like ip4h or tcph). If they are null there is an issue with the packet. But this suppose we are able to easily get a picture of what should be non-NULL...

A last alternative I see would be to only update the higher protocol level (TCP, UDP, SCTP) so the impact of the patch is minimal.

Actions #3

Updated by Victor Julien almost 12 years ago

I think we should just add the increment of this counter to each decoder (maybe we can macro it?). Higher level only won't help as the higher level won't be invoked if ipv4 iplen > caplen.

Actions #4

Updated by Eric Leblond almost 12 years ago

The following branch contains a series proposal for this bug and #752: https://github.com/regit/suricata/commits/bug751

I'm not really happy with it so any idea welcome.

Actions #5

Updated by Victor Julien almost 12 years ago

  • Target version changed from 1.4.1 to 2.0beta1
Actions #6

Updated by Victor Julien over 11 years ago

  • Priority changed from Normal to High

Not sure about https://github.com/regit/suricata/commit/3fe5b1d405b0cebb6794057df810e5f48fc9a653, but the other two patches look good. In the "Update auto checksum API" patch you also flag bad csums as invalid, not sure if we should do that. The other "invalids" are (almost?) all for malformed packets, invalid csum is a lot more common. Thoughts?

Actions #7

Updated by Eric Leblond over 11 years ago

After reading this "Update auto checksum API" patch again, I'm not happy with it. If having a counter for invalid_pkts is a good idea, it is not interesting for to use it for packet checksum. So I think we need an other approach. Here's the PR with rebased patches: https://github.com/inliniac/suricata/pull/393

Actions #8

Updated by Eric Leblond over 11 years ago

  • % Done changed from 0 to 90
Actions #9

Updated by Victor Julien over 11 years ago

  • Target version changed from 2.0beta1 to 2.0beta2
Actions #10

Updated by Eric Leblond about 11 years ago

  • Status changed from Assigned to Closed
Actions #11

Updated by Victor Julien about 11 years ago

  • Tracker changed from Bug to Feature
Actions

Also available in: Atom PDF