[Oisf-users] Decoder Invalid Stats incrementing

Peter Manev petermanev at gmail.com
Sun Mar 20 16:40:05 UTC 2016


On Mon, Mar 14, 2016 at 1:26 PM, Murali Kandula <muralispruce at gmail.com> wrote:
> Hello All,
>
> I am seeing decoder.invalid stats getting incrementing. I found that to
> debug this I need to build suricata with --enable-debug and enabled
> decoder-events.rules but none of the rules got fired. Any ideas why the
> counter still incrementing but not generating any alerts from decoder
> rules?.
>


I would suggest to redo the test - enable the decoder rules - but dont
enable the debugging.
If you have the decoder events still incrementing without any alerts
being generated from the decoder invalids rules - i would suspect
(vlan) miss-tagging or stripping of mpls off the wrong direction or
example that can lead to lots of drops too.

If you are not  using vlan or mpls in the mirrored traffic  - do a
short simple tcpdump and have a look for inconsistencies that might
give you an idea.

thanks

> -Murali
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list