upstream/suricata
1
0
Fork 0
mirror of https://github.com/OISF/suricata.git synced 2026-05-28 04:32:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

docs: add firewall stats doc

Browse source 
Related to
Ticket #7699
This commit is contained in:
Juliana Fajardini 2026-04-05 17:50:19 -03:00 committed by Victor Julien
parent 8028b85efe
commit 09548dbca8
3 changed files with 36 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
doc/userguide/configuration/suricata-yaml.rst
View file

@ -2813,7 +2813,7 @@ Please read :ref:`Firewall Mode Design <firewall mode design>` before using this
The existing yaml configuration options are listed below. If the engine is run
in firewall mode, dedicated stats counters will be added to the stats logs.
To see the stats counters reported for the firewall, refer to :ref:`firewall mode stats`.
To see the stats reported for the firewall mode, refer to :ref:`firewall mode stats`.
::

34
doc/userguide/firewall/firewall-stats.rst Normal file
View file

@ -0,0 +1,34 @@
.. _firewall mode stats:
Firewall Mode Stats
*******************
Statistics counters for the firewall mode cover:
- drop reasons: ``stats.firewall.drop_reason``
- discarded alerts: ``stats.firewall.discarded_alerts``
- blocked packets: ``stats.firewall.blocked``
- accepted packets: ``stats.firewall.accepted``
- rejected packets: ``stats.firewall.rejected``
These will be present in the stats logs if the engine is run in firewall mode,
only.
Drop reasons
============
If a drop was caused by the firewall, the corresponding counter will be incremented. The existing ones are:
- ``rules``: a firewall rule triggered the drop
- ``default_packet_policy``: drop caused by the default fail closed firewall behavior, on the packet hook level
- ``default_app_policy``: drop caused by the default fail close firewall behavior, on the app-layer hook level
- ``pre_flow_hook``: drop caused by the pre-flow hook
- ``pre_stream_hook``: drop caused by the pre-stream hook
- ``flow_drop``: the whole flow was dropped after a firewall action.
Discarded alerts
================
In Firewall mode, alerts generated *after* a drop are discarded.
These are reported with the counter ``stats.firewall.discarded_alerts``.
Note that the drop may be caused by non-firewall rules.

1
doc/userguide/firewall/index.rst
View file

@ -5,3 +5,4 @@ Firewall Mode
firewall-design
firewall-example
firewall-stats