[Oisf-users] decoder.invalid count

Spransy, Derek dsprans at emory.edu
Mon Nov 23 19:09:34 UTC 2015

Thanks Julien, that's very useful information. What I found is that we're matching "SURICATA IPv4 truncated packet" over and over again. When I take a look at the packets in question I see that the length field is set to 05 F1 (1521), which doesn't match the actual length of the packets at all. So now I have to talk to our network folks to find out what's going on there.

When the decoder detects this situation is the packet/stream subsequently discarded, or does processing of the packet continue?
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
Sent: Monday, November 23, 2015 1:05 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] decoder.invalid count

On 23-11-15 16:30, Spransy, Derek wrote:
> I'm troubleshooting a very high decoder.invalid count on my sensor;
> nearly 35%. My kernel drop count is less than 1% and we seem to be
> generating about the number of alerts that I would expect. I'm not able
> to find much in the way of documentation that explains what may lead to
> a packet being marked as invalid in Suricata. The only thing I've found
> so far is advice to make sure that the interface MTU and Suricata.yaml
> MTU settings match (which they do) and ensure that the MTU is large
> enough for packets being seen on that interface (it is). I even tried to
> increase the MTU to 9026 without any difference. Can anyone point me in
> the direction of other factors that could be at work here?

All the reasons for incrementing this counter should be matchable
through the decoder-events.rules we ship. Enable this file to find out more.

Victor Julien
PGP: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.inliniac.net%2fvictorjulien.asc&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=NO%2fau3YOizZ2T5%2bf4Onv2tT437fBY2w8nKsoCu%2bF2UE%3d

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fsuricata-ids.org&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=mNtdL6oyg0dmUs0s1ZgH9O6GTv0%2btRBadqTre%2bJJFtY%3d | Support: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fsuricata-ids.org%2fsupport%2f&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=rMi2kqTscpqH4M64b31aq5qvwONJ5FwYk6%2fjMg9SHuA%3d
List: https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.openinfosecfoundation.org%2fmailman%2flistinfo%2foisf-users&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=BcqZo1JE0MmbTIgYfTF9jKpowvJnGWoMrlnAWxOJ4J4%3d
Suricata User Conference November 4 & 5 in Barcelona: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2foisfevents.net&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=mDwVW4OPwZfAw2pp5TcD%2f2iQsaxcnrifOTOvkucsEq0%3d


This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

More information about the Oisf-users mailing list