Project

General

Profile

Actions
Copy link

Feature #7699

open

firewall: separate stats for ips and firewall

Added by Victor Julien 3 days ago. Updated 2 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Victor Julien
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Similar to logs, the eve stats are also reported combined (for example with firewall blocked counts reporting under "ips") that would be very useful to count separately.

Currently we have

{
  "accepted": 8,
  "blocked": 54,
  "rejected": 0,
  "replaced": 0,
  "drop_reason": {
    "decode_error": 0,
    "defrag_error": 0,
    "defrag_memcap": 0,
    "flow_memcap": 0,
    "flow_drop": 52,
    "applayer_error": 0,
    "applayer_memcap": 0,
    "rules": 1,
    "threshold_detection_filter": 0,
    "stream_error": 0,
    "stream_memcap": 0,
    "stream_midstream": 0,
    "stream_reassembly": 0,
    "stream_urgent": 0,
    "nfq_error": 0,
    "tunnel_packet_drop": 0,
    "default_packet_policy": 0,
    "default_app_policy": 1
  }
}

I think it could be sufficient to expand the drop reason a bit?

{
  "accepted": 8,
  "blocked": 54,
  ...
  "drop_reason": {
    ...
    "rules": 1,
    "firewall_rules": 1,
    ...
    "default_packet_policy": 0,
    "default_app_policy": 1
  }
}

default_packet_policy and default_app_policy imply firewall, so we'd only need a counter to indicate a firewall drop rule matched? firewall_rules here.

Could also break it out

{
  "accepted": 8,
  "blocked": 54,
  ...
  "drop_reason": {
    ...
    "rules": 1,
    ...
    "firewall": {
       "rules": 1,
       "default_packet_policy": 0,
       "default_app_policy": 1
    }
  }
}
Actions
Copy link
 #1

Updated by Jamie Lavigne 2 days ago

I think that last one would be great, that groups all firewall drops together and breaks out rules from default policy drops.

Actions
Copy link

Also available in: Atom PDF