Actions
Bug #5124
closed
JL
JF
alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
Bug #5124:
alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
Description
Changes in alerting in 5.0.8/6.0.4 store noalert sigs in the packet alert array before removing them when finalizing the alerts. This solved several issues (#4663, #4670), however it introduces a new issue.
When many noalert rules are used, for example for flowbit "setter" logic, these rules now consume space in the alert array, leaving less space for "real" alerts that should be outputted. Since there is a built-in limit of 15 (see #4207) its not hard to reach this limit.
JL Updated by Jeff Lucovsky about 4 years ago
- Copied from Bug #4941: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit added
VJ Updated by Victor Julien about 4 years ago
- Target version changed from 5.0.9 to 5.0.10
VJ Updated by Victor Julien almost 4 years ago
- Status changed from Assigned to In Review
- Assignee changed from Jeff Lucovsky to Juliana Fajardini Reichow
VJ Updated by Victor Julien almost 4 years ago
- Subject changed from alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit to alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
JF Updated by Juliana Fajardini Reichow almost 4 years ago
- Status changed from In Review to Resolved
Merged PR: https://github.com/OISF/suricata/pull/7394
JF Updated by Juliana Fajardini Reichow almost 4 years ago
- Status changed from Resolved to Closed
Actions