Project

General

Profile

Actions

Task #5180

open

detect/alert: make sure that signatures with `drop` action are respected, even if the alert is discarded

Added by Juliana Fajardini Reichow 7 months ago. Updated 4 months ago.

Status:
In Progress
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Considering that an alert could be discarded from the packet queue due to queue size limitations, we must consider how signatures with the `drop` action are still taken into account, even if the respective alert is dropped.

I guess... thought must also be given with regards to how do we indicate what is going on with said traffic, even if the alert isn't kept. Debug log? Specific stats counter?


Related issues 1 (0 open1 closed)

Related to Optimization #5178: detect/alert: improve packet alert queue handlingRejectedJuliana Fajardini ReichowActions
Actions #1

Updated by Juliana Fajardini Reichow 7 months ago

Actions #2

Updated by Juliana Fajardini Reichow 7 months ago

  • Subject changed from detect/alert: make sure that signature with `drop` action are respected, even if the alert is discarded to detect/alert: make sure that signatures with `drop` action are respected, even if the alert is discarded
Actions #3

Updated by Juliana Fajardini Reichow 6 months ago

  • Status changed from New to In Progress
Actions #4

Updated by Juliana Fajardini Reichow 6 months ago

  • Status changed from In Progress to Assigned

Will stop current work on this issue because we will try to follow the approach for #4943.

Actions #5

Updated by Juliana Fajardini Reichow 6 months ago

  • Target version changed from TBD to 7.0rc1
Actions #6

Updated by Juliana Fajardini Reichow 5 months ago

  • Status changed from Assigned to In Progress
Actions #7

Updated by Juliana Fajardini Reichow 4 months ago

Back to working on this.

Draft PR for appreciation and improvements: https://github.com/OISF/suricata/pull/7469

Actions

Also available in: Atom PDF