Optimization #1749
open
Log PACKET_DROP in inline mode for invalid states as well
Added by Andreas Herz almost 9 years ago.
Updated about 5 years ago.
Description
There are several spots like in "StreamTcpPacketStateNone" in stream-tcp.c where we drop packets if suricata is run in inline mode (NFQUEUE in my case) and we don't log anything about the packets, just increase the ips.blocked counter. While it was a faulty configuration (only one part of the connection was send into the NFQUEUE) i would still say that if we have suricata in IPS mode we should log the drops with more detail somehow, maybe use some messages we have for SCLogDebug for normal logging (drop.log for example).
Using the debug mode isn't very reasonable for a productive system but you might still end up with packet drops and want to see why they got dropped although no rule triggered.
At least we should add some output option to enable this kind of logging. Adding some lines to drop.log like "[DROP] $PACKETINFO - $REASON" shouldn't affect performance that much.
I think the first step is to add events for each of those cases, so we can match on it. Having a log could be interesting as well.
- Assignee changed from OISF Dev to Andreas Herz
- Target version changed from TBD to 70
Andreas can you add events for the 'silent' drops?
- Assignee changed from Andreas Herz to Anonymous
- Effort set to medium
- Difficulty set to medium
- Assignee set to Community Ticket
- Target version changed from 70 to TBD
Would it make sense to have dedicated drop counters in the stats as well?
What would these drop counters count exactly? We do have ips.blocked as a generic drop counter (although it's only on NFQ I think, not AF_PACKET IPS)
They are a subset of the ips.blocked so like ips.blocked."reason" so while the generic counter increasing won't be something odd a huge counter for dropped packets to some invalid traffic type might be something to be easier spot by that.
But I don't remember the specific details from back then :)
Were the events for the silent drops added?
Also available in: Atom
PDF