[Oisf-users] Decoder Invalid Stats incrementing
Peter Manev
petermanev at gmail.com
Sun Mar 20 16:40:05 UTC 2016
On Mon, Mar 14, 2016 at 1:26 PM, Murali Kandula <muralispruce at gmail.com> wrote:
> Hello All,
>
> I am seeing decoder.invalid stats getting incrementing. I found that to
> debug this I need to build suricata with --enable-debug and enabled
> decoder-events.rules but none of the rules got fired. Any ideas why the
> counter still incrementing but not generating any alerts from decoder
> rules?.
>
I would suggest to redo the test - enable the decoder rules - but dont
enable the debugging.
If you have the decoder events still incrementing without any alerts
being generated from the decoder invalids rules - i would suspect
(vlan) miss-tagging or stripping of mpls off the wrong direction or
example that can lead to lots of drops too.
If you are not using vlan or mpls in the mirrored traffic - do a
short simple tcpdump and have a look for inconsistencies that might
give you an idea.
thanks
> -Murali
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list