Optimization #5180: detect/alert: make sure that signatures with `drop` action are respected, even if the alert is discarded - Suricata - Open Information Security Foundation

Actions

Copy link

Optimization #5180

open

detect/alert: make sure that signatures with `drop` action are respected, even if the alert is discarded

Added by Juliana Fajardini Reichow about 3 years ago. Updated about 2 months ago.

Status:

In Progress

Priority:

Normal

Assignee:

Juliana Fajardini Reichow

Target version:

8.0.0-rc1

Effort:

Difficulty:

Label:

Description

Considering that an alert could be discarded from the packet queue due to queue size limitations, we must consider how signatures with the `drop` action are still taken into account, even if the respective alert is dropped.

I guess... thought must also be given with regards to how do we indicate what is going on with said traffic, even if the alert isn't kept. Debug log? Specific stats counter?

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by Juliana Fajardini Reichow about 3 years ago

Related to Optimization #5178: detect/alert: improve packet alert queue handling added

Actions

Copy link

Updated by Juliana Fajardini Reichow about 3 years ago

Subject changed from detect/alert: make sure that signature with `drop` action are respected, even if the alert is discarded to detect/alert: make sure that signatures with `drop` action are respected, even if the alert is discarded

Actions

Copy link