[Oisf-users] decoder.invalid count

Victor Julien lists at inliniac.net
Mon Nov 23 18:05:56 UTC 2015

On 23-11-15 16:30, Spransy, Derek wrote:
> I'm troubleshooting a very high decoder.invalid count on my sensor;
> nearly 35%. My kernel drop count is less than 1% and we seem to be
> generating about the number of alerts that I would expect. I'm not able
> to find much in the way of documentation that explains what may lead to
> a packet being marked as invalid in Suricata. The only thing I've found
> so far is advice to make sure that the interface MTU and Suricata.yaml
> MTU settings match (which they do) and ensure that the MTU is large
> enough for packets being seen on that interface (it is). I even tried to
> increase the MTU to 9026 without any difference. Can anyone point me in
> the direction of other factors that could be at work here?

All the reasons for incrementing this counter should be matchable
through the decoder-events.rules we ship. Enable this file to find out more.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list