decode/ethertype: Event on unknown ethertype #11632
Conversation
Issue: 7129 Create a decode/engine event if unknown ethertypes are observed.
jlucovsky
requested review from
jufajardini,
victorjulien and
a team
as code owners
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #11632 +/- ##
==========================================
- Coverage 82.61% 82.50% -0.12%
==========================================
Files 919 919
Lines 248997 249004 +7
==========================================
- Hits 205717 205432 -285
- Misses 43280 43572 +292
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
So out of the box behavior would be to log the first unknown ether_type, then after 60 seconds, relog for that same one or perhaps another? So in the case where there are multiple unknown ethertype being seen, it could be a while, or even never before they all get logged? |
Oh, I see Victor already commented on this: #11455 (comment) I wonder how we can capture this information for users. |
|
Information: QA ran without warnings. Pipeline 22126 |
What information would we want to collect? The invalid ethertype values are probably due to misconfiguration or an unsupported encapsulation type. |
For me its more about a comment/documentation on how not all unknown types may generate an event, so you might not be able to enumerate them. Since the thresholding is done on the rule, not the ethernet type. |
If I understand the situation correctly, we have stats for each time an unknown ethertype is seen, but our event-based Suricata rule, due to thresholding, might not catch all (possibly) different cases, is that right? I have two documentation suggestions:
|
We will not be able to provide information as to what the unknown ethertype values were.
|
The information requested was the list of all unsupported encapsulation types seen on the wire... |
| @@ -1322,6 +1326,9 @@ void DecodeUnregisterCounters(void); | |||
| #define PKT_FIRST_ALERTS BIT_U32(29) | |||
| #define PKT_FIRST_TAG BIT_U32(30) | |||
|
|
|||
| /** Unknown/unsupported */ | |||
| #define PKT_IS_UNKNOWN BIT_U32(31) | |||
There was a problem hiding this comment.
Maybe precise unknown ether type
As we can have another "unknown" ip type
|
So, for me this PR is good in itself, but not complete : |
Like, have these in our docs? If yes, I approve of this suggestion! |
No, not in our docs, the feature request was like "I have this network traffic, I want Suricata to tell me which ethernet types in this network traffic are unsupported by Suricata" |
Oh, so when Suri sees something unsupported, it would log out what type that is? |
It is a way to solve this |
Except we can't log output at packet rates. That's the issue with packet decode events -- how to provide enough information without creating a log storm. Thoughts or ideas? That's where the thresholds are valuable (rate limiting) but there is information loss. |
Maybe... not for real usage, but for investigation purposes, could we save stats on these unknown ether types and save this as some sort of data set? Like... if we see an unknown ethertype, we save that to a table, and if that shows up again, we increase that stats counter. Or, idk, it's just already in the data set. And as with stats, we regularly update the file. But not something to be enabled all the time. 🤔 (brainstorm mode off)
|
The people asking for the feature can log at packet rate an anomaly event for every packet that has an unknown ethernet type (which means not every packet at all)... This PR already provides the event to have a rule for unknown ethernet type (and it is good), so people can already do the log storm if they want. |
|
Continued in #11850 |
Continuation of #11557
Issue: 7129
Create a decode/engine event if unknown ethertypes are observed.
Link to ticket: https://redmine.openinfosecfoundation.org/issues/7129
Describe changes:
Updates
Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=OISF/suricata-verify#1954
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=