Optimization #1749
openLog PACKET_DROP in inline mode for invalid states as well
Description
There are several spots like in "StreamTcpPacketStateNone" in stream-tcp.c where we drop packets if suricata is run in inline mode (NFQUEUE in my case) and we don't log anything about the packets, just increase the ips.blocked counter. While it was a faulty configuration (only one part of the connection was send into the NFQUEUE) i would still say that if we have suricata in IPS mode we should log the drops with more detail somehow, maybe use some messages we have for SCLogDebug for normal logging (drop.log for example).
Using the debug mode isn't very reasonable for a productive system but you might still end up with packet drops and want to see why they got dropped although no rule triggered.
At least we should add some output option to enable this kind of logging. Adding some lines to drop.log like "[DROP] $PACKETINFO - $REASON" shouldn't affect performance that much.
Updated by Victor Julien over 8 years ago
I think the first step is to add events for each of those cases, so we can match on it. Having a log could be interesting as well.
Updated by Victor Julien over 7 years ago
- Assignee changed from OISF Dev to Andreas Herz
- Target version changed from TBD to 70
Andreas can you add events for the 'silent' drops?
Updated by Andreas Herz about 6 years ago
- Assignee changed from Andreas Herz to Anonymous
- Effort set to medium
- Difficulty set to medium
Updated by Andreas Herz over 5 years ago
- Target version changed from 70 to TBD
Would it make sense to have dedicated drop counters in the stats as well?
Updated by Victor Julien over 5 years ago
What would these drop counters count exactly? We do have ips.blocked as a generic drop counter (although it's only on NFQ I think, not AF_PACKET IPS)
Updated by Andreas Herz over 5 years ago
They are a subset of the ips.blocked so like ips.blocked."reason" so while the generic counter increasing won't be something odd a huge counter for dropped packets to some invalid traffic type might be something to be easier spot by that.
But I don't remember the specific details from back then :)
Updated by Victor Julien about 5 years ago
Were the events for the silent drops added?