Project

General

Profile

Actions

Bug #4941

closed

alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit

Added by Victor Julien 11 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

Changes in alerting in 5.0.8/6.0.4 store noalert sigs in the packet alert array before removing them when finalizing the alerts. This solved several issues (#4663, #4670), however it introduces a new issue.

When many noalert rules are used, for example for flowbit "setter" logic, these rules now consume space in the alert array, leaving less space for "real" alerts that should be outputted. Since there is a built-in limit of 15 (see #4207) its not hard to reach this limit.


Subtasks 4 (0 open4 closed)

Optimization #4207: Use configurable or more dynamic @ PACKET_ALERT_MAX@ClosedJuliana Fajardini ReichowActions
Optimization #5178: detect/alert: improve packet alert queue handlingRejectedJuliana Fajardini ReichowActions
Task #4942: alerts: SV test for noalert issueClosedShivani BhardwajActions
Optimization #4943: alerts: use alert queing in DetectEngineThreadCtxClosedJuliana Fajardini ReichowActions

Related issues 4 (0 open4 closed)

Related to Bug #4663: rules: drop rules with noalert not fully droppingClosedVictor JulienActions
Related to Bug #4670: rules: mix of drop and pass rules issuesClosedVictor JulienActions
Copied to Bug #5120: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (6.0.x backport)ClosedJuliana Fajardini ReichowActions
Copied to Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)ClosedJuliana Fajardini ReichowActions
Actions #1

Updated by Victor Julien 11 months ago

  • Affected Versions 5.0.8, 6.0.4 added
Actions #2

Updated by Victor Julien 11 months ago

  • Related to Bug #4663: rules: drop rules with noalert not fully dropping added
Actions #3

Updated by Victor Julien 11 months ago

  • Related to Bug #4670: rules: mix of drop and pass rules issues added
Actions #4

Updated by Victor Julien 10 months ago

  • Assignee set to OISF Dev
Actions #5

Updated by Jeff Lucovsky 10 months ago

  • Copied to Bug #5120: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (6.0.x backport) added
Actions #6

Updated by Jeff Lucovsky 10 months ago

  • Copied to Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport) added
Actions #7

Updated by Juliana Fajardini Reichow 7 months ago

  • Assignee changed from OISF Dev to Juliana Fajardini Reichow
Actions #8

Updated by Juliana Fajardini Reichow 7 months ago

I think https://github.com/OISF/suricata/pull/7347 would solve this, right?

Actions #9

Updated by Juliana Fajardini Reichow 7 months ago

  • Status changed from New to Resolved
Actions #10

Updated by Victor Julien 4 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF