[Oisf-users] How to discover Dropped packets

Andreas Herz andi at geekosphere.org
Fri Oct 28 20:30:23 UTC 2016

Please always reply to the list.

On 28/10/16 at 18:01, Filippo Carletti wrote:
> > Well can you share the relevant parts of your iptables rules?
> iptables counter 10 minutes after reset, roughly same time of suricata
> stats below:
> [snap]

There is not much to see, so hard to guess with those rules.

> The only ACCEPTed packets are on lo or dhcp related.
> Full iptables -nL output attached. NFQBY is used to jump to nfqueue 0 --bypass.

That's a bit too much to debug for me. What you could try is to limit it
to dedicated traffic (HTTP if your full in control) and see if really
every packet is going into the NFQUEUE. Or work with src/dest ips.

Another idea is to replace all ACCEPT with ACCEPT_NFQUEUE calls and in
the ACCEPT_NFQUEUE chain you add a -j NFQUEUE for your WAN interface.
With that you make sure that all packets that go in and out of your WAN
interface go into suricata. Or at least the most obvious ACCEPTs.

> Here are suricata stats:
> [snap]
> ips.accepted                               | Total                     | 22083
> ips.blocked                                | Total                     | 15

This is not sooo much blocked in that case.

There are some issues with the packets but you could either patch
suricata to have more info about the packets or you try to debug that
outside of suricata with changing your ruleset.

You could also try to work with a really simple ruleset for testing

Andreas Herz

More information about the Oisf-users mailing list