[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] Decoder Invalid Stats incrementing
From: Peter Manev <petermanev () gmail ! com>
Date: 2016-03-20 16:40:05
Message-ID: CAMhe82LK9aTHczpaJGVGvhzgNja1vAR=KpJdcm0tN1ahKZsTkQ () mail ! gmail ! com
[Download RAW message or body]
On Mon, Mar 14, 2016 at 1:26 PM, Murali Kandula <muralispruce@gmail.com> wrote:
> Hello All,
>
> I am seeing decoder.invalid stats getting incrementing. I found that to
> debug this I need to build suricata with --enable-debug and enabled
> decoder-events.rules but none of the rules got fired. Any ideas why the
> counter still incrementing but not generating any alerts from decoder
> rules?.
>
I would suggest to redo the test - enable the decoder rules - but dont
enable the debugging.
If you have the decoder events still incrementing without any alerts
being generated from the decoder invalids rules - i would suspect
(vlan) miss-tagging or stripping of mpls off the wrong direction or
example that can lead to lots of drops too.
If you are not using vlan or mpls in the mirrored traffic - do a
short simple tcpdump and have a look for inconsistencies that might
give you an idea.
thanks
> -Murali
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic