Actions
Feature #7699
open
VJ
JF
firewall: separate stats for ips and firewall
Feature #7699:
firewall: separate stats for ips and firewall
Effort:
Difficulty:
Label:
Description
Similar to logs, the eve stats are also reported combined (for example with firewall blocked counts reporting under "ips") that would be very useful to count separately.
Currently we have
{
"accepted": 8,
"blocked": 54,
"rejected": 0,
"replaced": 0,
"drop_reason": {
"decode_error": 0,
"defrag_error": 0,
"defrag_memcap": 0,
"flow_memcap": 0,
"flow_drop": 52,
"applayer_error": 0,
"applayer_memcap": 0,
"rules": 1,
"threshold_detection_filter": 0,
"stream_error": 0,
"stream_memcap": 0,
"stream_midstream": 0,
"stream_reassembly": 0,
"stream_urgent": 0,
"nfq_error": 0,
"tunnel_packet_drop": 0,
"default_packet_policy": 0,
"default_app_policy": 1
}
}
I think it could be sufficient to expand the drop reason a bit?
{
"accepted": 8,
"blocked": 54,
...
"drop_reason": {
...
"rules": 1,
"firewall_rules": 1,
...
"default_packet_policy": 0,
"default_app_policy": 1
}
}
default_packet_policy and default_app_policy imply firewall, so we'd only need a counter to indicate a firewall drop rule matched? firewall_rules here.
Could also break it out
{
"accepted": 8,
"blocked": 54,
...
"drop_reason": {
...
"rules": 1,
...
"firewall": {
"rules": 1,
"default_packet_policy": 0,
"default_app_policy": 1
}
}
}
Actions