Project

General

Profile

Actions

Optimization #4943

closed

Bug #4941: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit

alerts: use alert queing in DetectEngineThreadCtx

Added by Victor Julien 11 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Target version:
-
Effort:
Difficulty:
Label:

Description

Currently each alert is written directly to Packet::alerts during rule evaluation. Then at the end of the detection run for a packet, PacketAlertFinalize removes entries again, when applying thresholding, suppression and noalert. This leads to the issue in #4941 but is often also not very efficient esp when there are multiple rules to remove.

The idea of this ticket is to use a per DetectEngineThreadCtx specific queue of some sort to store the alert "candidates" and have PacketAlertFinalize only write the final alerts to the Packet structure.


Related issues 3 (1 open2 closed)

Related to Documentation #5274: devguide: document how the alert flow worksIn ProgressJuliana Fajardini ReichowActions
Copied to Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport)ClosedJuliana Fajardini ReichowActions
Copied to Optimization #5127: alerts: use alert queing in DetectEngineThreadCtx (6.0.x backport)ClosedJuliana Fajardini ReichowActions
Actions #1

Updated by Jeff Lucovsky 10 months ago

  • Copied to Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport) added
Actions #2

Updated by Jeff Lucovsky 10 months ago

  • Copied to Optimization #5127: alerts: use alert queing in DetectEngineThreadCtx (6.0.x backport) added
Actions #3

Updated by Juliana Fajardini Reichow 8 months ago

  • Assignee set to Juliana Fajardini Reichow
Actions #4

Updated by Juliana Fajardini Reichow 8 months ago

Actions #5

Updated by Juliana Fajardini Reichow 7 months ago

  • Status changed from New to In Progress
Actions #6

Updated by Juliana Fajardini Reichow 7 months ago

  • Status changed from In Progress to In Review
Actions #7

Updated by Juliana Fajardini Reichow 7 months ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF