[Oisf-users] decoder.invalid count

Victor Julien lists at inliniac.net
Wed Nov 25 15:32:57 UTC 2015 

On 23-11-15 20:09, Spransy, Derek wrote:
> Thanks Julien, that's very useful information. What I found is that we're matching "SURICATA IPv4 truncated packet" over and over again. When I take a look at the packets in question I see that the length field is set to 05 F1 (1521), which doesn't match the actual length of the packets at all. So now I have to talk to our network folks to find out what's going on there.

Most likely cause is interface offloading, did you disable those with
ethtool?

> When the decoder detects this situation is the packet/stream subsequently discarded, or does processing of the packet continue?

They are discarded.

Cheers,
Victor



> ________________________________________
> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
> Sent: Monday, November 23, 2015 1:05 PM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] decoder.invalid count
> 
> On 23-11-15 16:30, Spransy, Derek wrote:
>> I'm troubleshooting a very high decoder.invalid count on my sensor;
>> nearly 35%. My kernel drop count is less than 1% and we seem to be
>> generating about the number of alerts that I would expect. I'm not able
>> to find much in the way of documentation that explains what may lead to
>> a packet being marked as invalid in Suricata. The only thing I've found
>> so far is advice to make sure that the interface MTU and Suricata.yaml
>> MTU settings match (which they do) and ensure that the MTU is large
>> enough for packets being seen on that interface (it is). I even tried to
>> increase the MTU to 9026 without any difference. Can anyone point me in
>> the direction of other factors that could be at work here?
> 
> All the reasons for incrementing this counter should be matchable
> through the decoder-events.rules we ship. Enable this file to find out more.
> 
> --
> ---------------------------------------------
> Victor Julien
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.inliniac.net%2f&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=q%2bpfbIJNSbTxm%2fHtxGU9TzJsyAiQzmosA%2f4kQAFmPmM%3d
> PGP: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.inliniac.net%2fvictorjulien.asc&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=NO%2fau3YOizZ2T5%2bf4Onv2tT437fBY2w8nKsoCu%2bF2UE%3d
> ---------------------------------------------
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fsuricata-ids.org&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=mNtdL6oyg0dmUs0s1ZgH9O6GTv0%2btRBadqTre%2bJJFtY%3d | Support: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fsuricata-ids.org%2fsupport%2f&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=rMi2kqTscpqH4M64b31aq5qvwONJ5FwYk6%2fjMg9SHuA%3d
> List: https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.openinfosecfoundation.org%2fmailman%2flistinfo%2foisf-users&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=BcqZo1JE0MmbTIgYfTF9jKpowvJnGWoMrlnAWxOJ4J4%3d
> Suricata User Conference November 4 & 5 in Barcelona: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2foisfevents.net&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=mDwVW4OPwZfAw2pp5TcD%2f2iQsaxcnrifOTOvkucsEq0%3d
> 
> ________________________________
> 
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
> 
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list