Project

General

Profile

Actions
Copy link

Feature #7699

open

firewall: separate stats for ips and firewall

Added by Victor Julien 7 months ago. Updated 21 days ago.

Status:
Assigned
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Similar to logs, the eve stats are also reported combined (for example with firewall blocked counts reporting under "ips") that would be very useful to count separately.

Currently we have

{
  "accepted": 8,
  "blocked": 54,
  "rejected": 0,
  "replaced": 0,
  "drop_reason": {
    "decode_error": 0,
    "defrag_error": 0,
    "defrag_memcap": 0,
    "flow_memcap": 0,
    "flow_drop": 52,
    "applayer_error": 0,
    "applayer_memcap": 0,
    "rules": 1,
    "threshold_detection_filter": 0,
    "stream_error": 0,
    "stream_memcap": 0,
    "stream_midstream": 0,
    "stream_reassembly": 0,
    "stream_urgent": 0,
    "nfq_error": 0,
    "tunnel_packet_drop": 0,
    "default_packet_policy": 0,
    "default_app_policy": 1
  }
}

I think it could be sufficient to expand the drop reason a bit?

{
  "accepted": 8,
  "blocked": 54,
  ...
  "drop_reason": {
    ...
    "rules": 1,
    "firewall_rules": 1,
    ...
    "default_packet_policy": 0,
    "default_app_policy": 1
  }
}

default_packet_policy and default_app_policy imply firewall, so we'd only need a counter to indicate a firewall drop rule matched? firewall_rules here.

Could also break it out

{
  "accepted": 8,
  "blocked": 54,
  ...
  "drop_reason": {
    ...
    "rules": 1,
    ...
    "firewall": {
       "rules": 1,
       "default_packet_policy": 0,
       "default_app_policy": 1
    }
  }
}

Related issues 2 (1 open1 closed)

Has duplicate Suricata - Task #7850: stats: add dedicated counters for firewall modeRejectedOISF DevActions
Blocks Suricata - Story #7583: 9.0.0: usecase: improve firewall usecaseAssignedVictor JulienActions
Actions
Copy link
 #1

Updated by Jamie Lavigne 7 months ago

I think that last one would be great, that groups all firewall drops together and breaks out rules from default policy drops.

Actions
Copy link
 #2

Updated by Victor Julien 4 months ago

  • Blocks Story #7583: 9.0.0: usecase: improve firewall usecase added
Actions
Copy link
 #3

Updated by Victor Julien 2 months ago

  • Status changed from Feedback to Assigned
  • Target version changed from TBD to 9.0.0-beta1
Actions
Copy link
 #4

Updated by Juliana Fajardini Reichow 21 days ago

  • Has duplicate Task #7850: stats: add dedicated counters for firewall mode added
Actions
Copy link
 #5

Updated by Juliana Fajardini Reichow 21 days ago

What was originally #7850 could be covered by this one, too:
"As part of this task, also make alert_queue_overflow counter dedicated to the alert queue overflow again
(cf https://github.com/OISF/suricata/pull/13700#discussion_r2264587964)."

Actions
Copy link

Also available in: Atom PDF