I am trying to do some benchmarks for Suricata and a little confused about some of the metrics I need. As title implies, is demode.pkts a data including all the received pkts for Suricata? Also is there another data I can use to count all the passed pkts?
By “passed” you mean packets that didn’t generate alerts?
The alert count is available … detect.alert (or similar) if that would help
So I mean literally all packets flow back to the client from Suricata. I guess it could be the packets matching either “alert” rules or “pass” rules. So I am not sure decoder.alerts would be a good one?
From your message, I’m presuming that you’re running Suricata in inline or IPS mode and that you want to know the statistics for how many packets are not dropped by Suricata?
Yeah you are right. I am running in IPS mode and I would like to see both the total received packets for Suricata and packets not dropped by Suricata. Sorry I didn’t clarify my env info.
What IPS mode do you use? NFQUEUE or AF_PACKET?
Could you post a stats.log output?
We are using the AF_Packet mode.eve-stats.json (20.7 KB)
I attached 1 sample eve-stats.json here. So basically I cannot see a stats for total received pkts and total passed pkts for Suricata engine. Is that the case?
Hello. Is there somebody having ideas on this? Basically we are just trying to monitor the statistics for Suricata but maybe our needs are not that common?
Please be patient if you don’t get an instant response.
I looked into your stats file and saw this:
"detect": {
"engines": [
{
"id": 0,
"rules_failed": 0,
"rules_loaded": 3,
"last_reload": "2020-08-14T03:43:27.368943+0000"
}
],
"alert": 0,
"alert_delta": 0,
"drop_packets": 0,
"drop_packets_delta": 0,
"drop_bytes": 0,
"drop_bytes_delta": 0
So only 3 rules loaded and none of those did hit. So that would explain why the counters are 0.
The general counter for capture packets is here:
"capture": {
"kernel_packets": 272007,
"kernel_packets_delta": 2,
"kernel_drops": 0,
"kernel_drops_delta": 0,
"errors": 0,
"errors_delta": 0
},