Project

General

Profile

Actions
Copy link

Feature #4573

closed

add IPS drop total to eve log output

Added by Corey Thomas about 3 years ago. Updated about 1 year ago.

Status:
Rejected
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
TBD
Effort:
Difficulty:
Label:

Description

It would be useful to have the stats metric for total IPS drops in eve output. Probably similar to the alert count as part of suricata engine output. The field name should be clear that it's ips or alert drops.

e.g.

{"timestamp":"2021-08-03T13:15:28.965147+0000","log_level":"Info","event_type":"engine","engine":{"message":"Alerts: 56893"}}
{"timestamp":"2021-08-03T13:15:28.965147+0000","log_level":"Info","event_type":"engine","engine":{"message":"IPS_Drops: 100"}}

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #4756: capture: support ips stats for all IPS capture methodsClosedVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien about 3 years ago

  • Related to Feature #4756: capture: support ips stats for all IPS capture methods added
Actions
Copy link
 #2

Updated by Jeff Lucovsky over 2 years ago

  • Target version set to TBD
Actions
Copy link
 #3

Updated by Jeff Lucovsky about 1 year ago

  • Status changed from New to In Progress
Actions
Copy link
 #4

Updated by Jeff Lucovsky about 1 year ago

  • Status changed from In Progress to In Review
Actions
Copy link
 #5

Updated by Victor Julien about 1 year ago

What is the purpose here? We have this as part of eve.stats now, isn't that enough?

Actions
Copy link
 #6

Updated by Jeff Lucovsky about 1 year ago

@Corey Thomas Does the eve stats addition meet your needs?

Actions
Copy link
 #7

Updated by Corey Thomas about 1 year ago

  • Status changed from In Review to Resolved

Jeff Lucovsky wrote in #note-6:

@Corey Thomas Does the eve stats addition meet your needs?

Yes, I think so. We have the accepted, blocked and rejected packets at the end of run.

I'll marked this as resolved. Feel free to fix or let me know if I should change something else.

  "stats": {
    "uptime": 726,
    "ips": {
      "accepted": 367085210,
      "blocked": 1395360,
      "rejected": 0,
      "replaced": 0,
      "drop_reason": {
        "decode_error": 0,
        "defrag_error": 0,
        "defrag_memcap": 0,
        "flow_memcap": 0,
        "flow_drop": 1296000,
        "applayer_error": 32400,
        "applayer_memcap": 0,
        "rules": 66960,
        "threshold_detection_filter": 0,
        "stream_error": 0,
        "stream_memcap": 0,
        "stream_midstream": 0,
        "nfq_error": 0,
        "tunnel_packet_drop": 0
      }
Actions
Copy link
 #8

Updated by Jeff Lucovsky about 1 year ago

  • Status changed from Resolved to Rejected

Now that the eve stats contains this information, displaying a console message with the same info is no longer required.

Actions
Copy link

Also available in: Atom PDF