Optimization #5127
closedBug #5120: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (6.0.x backport)
alerts: use alert queing in DetectEngineThreadCtx (6.0.x backport)
Description
Currently each alert is written directly to Packet::alerts during rule evaluation. Then at the end of the detection run for a packet, PacketAlertFinalize removes entries again, when applying thresholding, suppression and noalert. This leads to the issue in #4941 but is often also not very efficient esp when there are multiple rules to remove.
The idea of this ticket is to use a per DetectEngineThreadCtx specific queue of some sort to store the alert "candidates" and have PacketAlertFinalize only write the final alerts to the Packet structure.
Updated by Jeff Lucovsky over 1 year ago
- Copied from Optimization #4943: alerts: use alert queing in DetectEngineThreadCtx added
Updated by Juliana Fajardini Reichow about 1 year ago
- Status changed from New to In Progress
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
- Target version set to 6.0.6
Updated by Juliana Fajardini Reichow about 1 year ago
- Status changed from In Progress to In Review
Backports PR for review: https://github.com/OISF/suricata/pull/7366
Updated by Juliana Fajardini Reichow about 1 year ago
- Status changed from In Review to Closed
Merged PR: https://github.com/OISF/suricata/pull/7369
Updated by Juliana Fajardini Reichow about 1 year ago
- Subject changed from alerts: use alert queing in DetectEngineThreadCtx to alerts: use alert queing in DetectEngineThreadCtx (6.0.x backport)