Actions
Optimization #4943
closedBug #4941: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit
alerts: use alert queing in DetectEngineThreadCtx
Effort:
Difficulty:
Label:
Description
Currently each alert is written directly to Packet::alerts during rule evaluation. Then at the end of the detection run for a packet, PacketAlertFinalize removes entries again, when applying thresholding, suppression and noalert. This leads to the issue in #4941 but is often also not very efficient esp when there are multiple rules to remove.
The idea of this ticket is to use a per DetectEngineThreadCtx specific queue of some sort to store the alert "candidates" and have PacketAlertFinalize only write the final alerts to the Packet structure.
Updated by Jeff Lucovsky 7 months ago
- Copied to Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport) added
Updated by Jeff Lucovsky 7 months ago
- Copied to Optimization #5127: alerts: use alert queing in DetectEngineThreadCtx (6.0.x backport) added
Updated by Juliana Fajardini Reichow 6 months ago
- Assignee set to Juliana Fajardini Reichow
Updated by Juliana Fajardini Reichow 5 months ago
- Related to Documentation #5274: devguide: document how the alert flow works added
Updated by Juliana Fajardini Reichow 5 months ago
- Status changed from New to In Progress
Updated by Juliana Fajardini Reichow 5 months ago
- Status changed from In Progress to In Review
PR for review: https://github.com/OISF/suricata/pull/7284
Updated by Juliana Fajardini Reichow 5 months ago
- Status changed from In Review to Closed
Merged PR: https://github.com/OISF/suricata/pull/7347#
Actions