Actions
Optimization #4943
closedBug #4941: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit
alerts: use alert queing in DetectEngineThreadCtx
Effort:
Difficulty:
Label:
Description
Currently each alert is written directly to Packet::alerts during rule evaluation. Then at the end of the detection run for a packet, PacketAlertFinalize removes entries again, when applying thresholding, suppression and noalert. This leads to the issue in #4941 but is often also not very efficient esp when there are multiple rules to remove.
The idea of this ticket is to use a per DetectEngineThreadCtx specific queue of some sort to store the alert "candidates" and have PacketAlertFinalize only write the final alerts to the Packet structure.
Updated by Jeff Lucovsky 12 months ago
- Copied to Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport) added
Updated by Jeff Lucovsky 12 months ago
- Copied to Optimization #5127: alerts: use alert queing in DetectEngineThreadCtx (6.0.x backport) added
Updated by Juliana Fajardini Reichow 10 months ago
- Assignee set to Juliana Fajardini Reichow
Updated by Juliana Fajardini Reichow 10 months ago
- Related to Documentation #5274: devguide: document how the alert flow works added
Updated by Juliana Fajardini Reichow 9 months ago
- Status changed from New to In Progress
Updated by Juliana Fajardini Reichow 9 months ago
- Status changed from In Progress to In Review
PR for review: https://github.com/OISF/suricata/pull/7284
Updated by Juliana Fajardini Reichow 9 months ago
- Status changed from In Review to Closed
Merged PR: https://github.com/OISF/suricata/pull/7347#
Actions