-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Next/20190124/v4 #3625
Merged
Merged
Next/20190124/v4 #3625
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In the eve log the decoder events are added as optional counters. This behaviour is enabled by default. However, lots of the counters are missing, as the names colide with other counters. E.g. decoder.ipv6 counts ipv6 packets decoder.ipv6.unknown_next_header counts how often an unknown next header is encountered. In this example 'ipv6' would be both a json integer and a json object. It appears that jansson favours the first that is generated, so the event counters are mostly missing. This patch registers them as 'decoder.events.<event>' instead. As these names are generated on the fly, a hash table to contain the allocated strings was added as well.
If a bad RST was received the stream inspection would not happen for that packet, but it would still move the 'raw progress' tracker forward. Following good packets would then fail to detect anything before the 'raw progress' position. Bug OISF#2770 Reported-by: Alexey Vishnyakov
On a first quick look, I don't like seeing the configuration option being in the config and not just in the documentation. But I suppose that is to keep 4.1.x releases behaving the same? And we could remove it in 5.0 and just have it in the documentation? |
This is how a full run on a busy box looks like in terms of stats. Seems the formatting is off in some places due to the longer names.
|
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Most intrusive here is the eve.stats decoder events handling to fix ticket 2225. In existing setups it should keep behaving unchanged, although it will show warnings.
For new setups using the shipped yaml, the decoder events prefix in the logs will be 'decoder.event' (e.g. decoder.event.ipv6.unknown_next_header).
Warnings are added to indicate that in 5.0 this will become the overall default.
cc: @satta
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/2225
https://redmine.openinfosecfoundation.org/issues/2770
Describe changes:
PRScript output (if applicable):