Optimization #5123
closedBug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport)
Description
Currently each alert is written directly to Packet::alerts during rule evaluation. Then at the end of the detection run for a packet, PacketAlertFinalize removes entries again, when applying thresholding, suppression and noalert. This leads to the issue in #4941 but is often also not very efficient esp when there are multiple rules to remove.
The idea of this ticket is to use a per DetectEngineThreadCtx specific queue of some sort to store the alert "candidates" and have PacketAlertFinalize only write the final alerts to the Packet structure.
Updated by Jeff Lucovsky 8 months ago
- Copied from Optimization #4943: alerts: use alert queing in DetectEngineThreadCtx added
Updated by Juliana Fajardini Reichow 7 months ago
- Related to Optimization #5178: detect/alert: improve packet alert queue handling added
Updated by Juliana Fajardini Reichow 5 months ago
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
- Target version set to 5.0.10
Updated by Juliana Fajardini Reichow 5 months ago
- Status changed from New to In Progress
Updated by Juliana Fajardini Reichow 5 months ago
- Status changed from In Progress to In Review
PR for review: https://github.com/OISF/suricata/pull/7379
Updated by Juliana Fajardini Reichow 5 months ago
- Subject changed from alerts: use alert queing in DetectEngineThreadCtx to alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport)
Updated by Juliana Fajardini Reichow 4 months ago
- Status changed from In Review to Closed
Merged PR: https://github.com/OISF/suricata/pull/7394