Actions
Bug #5124
closedalerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
Description
Changes in alerting in 5.0.8/6.0.4 store noalert
sigs in the packet alert array before removing them when finalizing the alerts. This solved several issues (#4663, #4670), however it introduces a new issue.
When many noalert
rules are used, for example for flowbit "setter" logic, these rules now consume space in the alert array, leaving less space for "real" alerts that should be outputted. Since there is a built-in limit of 15 (see #4207) its not hard to reach this limit.
Updated by Jeff Lucovsky over 2 years ago
- Copied from Bug #4941: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit added
Updated by Victor Julien over 2 years ago
- Target version changed from 5.0.9 to 5.0.10
Updated by Victor Julien over 2 years ago
- Status changed from Assigned to In Review
- Assignee changed from Jeff Lucovsky to Juliana Fajardini Reichow
Updated by Victor Julien over 2 years ago
- Subject changed from alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit to alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
Updated by Juliana Fajardini Reichow over 2 years ago
- Status changed from In Review to Resolved
Merged PR: https://github.com/OISF/suricata/pull/7394
Updated by Juliana Fajardini Reichow over 2 years ago
- Status changed from Resolved to Closed
Actions