Actions
Bug #4941
closed
VJ
JF
alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit
Bug #4941:
alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit
Description
Changes in alerting in 5.0.8/6.0.4 store noalert sigs in the packet alert array before removing them when finalizing the alerts. This solved several issues (#4663, #4670), however it introduces a new issue.
When many noalert rules are used, for example for flowbit "setter" logic, these rules now consume space in the alert array, leaving less space for "real" alerts that should be outputted. Since there is a built-in limit of 15 (see #4207) its not hard to reach this limit.
VJ Updated by Victor Julien about 4 years ago
- Affected Versions 5.0.8, 6.0.4 added
VJ Updated by Victor Julien about 4 years ago
- Related to Bug #4663: rules: drop rules with noalert not fully dropping added
VJ Updated by Victor Julien about 4 years ago
- Related to Bug #4670: rules: mix of drop and pass rules issues added
VJ Updated by Victor Julien about 4 years ago
- Assignee set to OISF Dev
JL Updated by Jeff Lucovsky about 4 years ago
- Copied to Bug #5120: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (6.0.x backport) added
JL Updated by Jeff Lucovsky about 4 years ago
- Copied to Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport) added
JF Updated by Juliana Fajardini Reichow almost 4 years ago
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
JF Updated by Juliana Fajardini Reichow almost 4 years ago
I think https://github.com/OISF/suricata/pull/7347 would solve this, right?
JF Updated by Juliana Fajardini Reichow almost 4 years ago
- Status changed from New to Resolved
VJ Updated by Victor Julien over 3 years ago
- Status changed from Resolved to Closed
Actions