[Oisf-users] decoder.invalid count

Peter Manev petermanev at gmail.com
Wed Nov 25 16:10:53 UTC 2015 

On Wed, Nov 25, 2015 at 4:50 PM, Spransy, Derek <dsprans at emory.edu> wrote:
> I believe that everything is off that should be. I run a script at startup which the following:
>
> for i in rx tx sg tso ufo gso gro lro;
>         do /usr/sbin/ethtool -K enp2s0f0 $i off;
>
> Here's the current output of ethtool -k:
>
> Features for enp2s0f0:
> rx-checksumming: off
> tx-checksumming: off
>         tx-checksum-ipv4: off
>         tx-checksum-ip-generic: off [fixed]
>         tx-checksum-ipv6: off
>         tx-checksum-fcoe-crc: on [fixed]
>         tx-checksum-sctp: off
> scatter-gather: off
>         tx-scatter-gather: off
>         tx-scatter-gather-fraglist: off [fixed]
> tcp-segmentation-offload: off
>         tx-tcp-segmentation: off
>         tx-tcp-ecn-segmentation: off [fixed]
>         tx-tcp6-segmentation: off
> udp-fragmentation-offload: off [fixed]
> generic-segmentation-offload: off
> generic-receive-offload: off
> large-receive-offload: off

> rx-vlan-offload: on
> tx-vlan-offload: on

Using vlans in the traffic ?

> ntuple-filters: off
> receive-hashing: on
> highdma: on [fixed]
> rx-vlan-filter: on [fixed]
> vlan-challenged: off [fixed]
> tx-lockless: off [fixed]
> netns-local: off [fixed]
> tx-gso-robust: off [fixed]
> tx-fcoe-segmentation: on [fixed]
> tx-gre-segmentation: off [fixed]
> tx-ipip-segmentation: off [fixed]
> tx-sit-segmentation: off [fixed]
> tx-udp_tnl-segmentation: on
> tx-mpls-segmentation: off [fixed]
> fcoe-mtu: off [fixed]
> tx-nocache-copy: on
> loopback: off [fixed]
> rx-fcs: off [fixed]
> rx-all: off [fixed]
> tx-vlan-stag-hw-insert: off [fixed]
> rx-vlan-stag-hw-parse: off [fixed]
> rx-vlan-stag-filter: off [fixed]
> busy-poll: on [fixed]
> ________________________________________
> From: Victor Julien <lists at inliniac.net>
> Sent: Wednesday, November 25, 2015 10:32 AM
> To: Spransy, Derek; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] decoder.invalid count
>
> On 23-11-15 20:09, Spransy, Derek wrote:
>> Thanks Julien, that's very useful information. What I found is that we're matching "SURICATA IPv4 truncated packet" over and over again. When I take a look at the packets in question I see that the length field is set to 05 F1 (1521), which doesn't match the actual length of the packets at all. So now I have to talk to our network folks to find out what's going on there.
>
> Most likely cause is interface offloading, did you disable those with
> ethtool?
>
>> When the decoder detects this situation is the packet/stream subsequently discarded, or does processing of the packet continue?
>
> They are discarded.
>
> Cheers,
> Victor
>
>
>
>> ________________________________________
>> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
>> Sent: Monday, November 23, 2015 1:05 PM
>> To: oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] decoder.invalid count
>>
>> On 23-11-15 16:30, Spransy, Derek wrote:
>>> I'm troubleshooting a very high decoder.invalid count on my sensor;
>>> nearly 35%. My kernel drop count is less than 1% and we seem to be
>>> generating about the number of alerts that I would expect. I'm not able
>>> to find much in the way of documentation that explains what may lead to
>>> a packet being marked as invalid in Suricata. The only thing I've found
>>> so far is advice to make sure that the interface MTU and Suricata.yaml
>>> MTU settings match (which they do) and ensure that the MTU is large
>>> enough for packets being seen on that interface (it is). I even tried to
>>> increase the MTU to 9026 without any difference. Can anyone point me in
>>> the direction of other factors that could be at work here?
>>
>> All the reasons for incrementing this counter should be matchable
>> through the decoder-events.rules we ship. Enable this file to find out more.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.inliniac.net%2f&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=q%2bpfbIJNSbTxm%2fHtxGU9TzJsyAiQzmosA%2f4kQAFmPmM%3d
>> PGP: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.inliniac.net%2fvictorjulien.asc&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=NO%2fau3YOizZ2T5%2bf4Onv2tT437fBY2w8nKsoCu%2bF2UE%3d
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fsuricata-ids.org&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=mNtdL6oyg0dmUs0s1ZgH9O6GTv0%2btRBadqTre%2bJJFtY%3d | Support: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fsuricata-ids.org%2fsupport%2f&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=rMi2kqTscpqH4M64b31aq5qvwONJ5FwYk6%2fjMg9SHuA%3d
>> List: https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.openinfosecfoundation.org%2fmailman%2flistinfo%2foisf-users&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=BcqZo1JE0MmbTIgYfTF9jKpowvJnGWoMrlnAWxOJ4J4%3d
>> Suricata User Conference November 4 & 5 in Barcelona: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2foisfevents.net&data=01%7c01%7cdsprans%40emory.edu%7ca523e624067e4203805608d2f430bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=mDwVW4OPwZfAw2pp5TcD%2f2iQsaxcnrifOTOvkucsEq0%3d
>>
>> ________________________________
>>
>> This e-mail message (including any attachments) is for the sole use of
>> the intended recipient(s) and may contain confidential and privileged
>> information. If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination, distribution
>> or copying of this message (including any attachments) is strictly
>> prohibited.
>>
>> If you have received this message in error, please contact
>> the sender by reply e-mail message and destroy all copies of the
>> original message (including attachments).
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.inliniac.net%2f&data=01%7c01%7cdsprans%40emory.edu%7c028378f05caf457378c408d2f5adb262%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=A%2f0apjv%2f43dncp9Z863MUH%2fcNOE4rA0CcgkJzBFmkJE%3d
> PGP: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.inliniac.net%2fvictorjulien.asc&data=01%7c01%7cdsprans%40emory.edu%7c028378f05caf457378c408d2f5adb262%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=bP3fe6jGU3lAo3OPSFy%2fQBGVHuNsSZ8vxhjnzZdJ%2bTI%3d
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list