Project

General

Profile

Actions

Bug #5124

closed

alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)

Added by Jeff Lucovsky over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Changes in alerting in 5.0.8/6.0.4 store noalert sigs in the packet alert array before removing them when finalizing the alerts. This solved several issues (#4663, #4670), however it introduces a new issue.

When many noalert rules are used, for example for flowbit "setter" logic, these rules now consume space in the alert array, leaving less space for "real" alerts that should be outputted. Since there is a built-in limit of 15 (see #4207) its not hard to reach this limit.


Subtasks 3 (0 open3 closed)

Optimization #5121: Use configurable or more dynamic @ PACKET_ALERT_MAX@ (5.0.x backport)ClosedJuliana Fajardini ReichowActions
Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport)ClosedJuliana Fajardini ReichowActions
Task #5126: alerts: SV test for noalert issueRejectedShivani BhardwajActions

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #4941: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limitClosedJuliana Fajardini ReichowActions
Actions #1

Updated by Jeff Lucovsky over 2 years ago

  • Copied from Bug #4941: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit added
Actions #2

Updated by Victor Julien over 2 years ago

  • Target version changed from 5.0.9 to 5.0.10
Actions #3

Updated by Victor Julien over 2 years ago

  • Status changed from Assigned to In Review
  • Assignee changed from Jeff Lucovsky to Juliana Fajardini Reichow
Actions #4

Updated by Victor Julien over 2 years ago

  • Subject changed from alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit to alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
Actions #5

Updated by Juliana Fajardini Reichow over 2 years ago

  • Status changed from In Review to Resolved
Actions #6

Updated by Juliana Fajardini Reichow over 2 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF