Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alert queue optimizations - v2 #7290

Closed
wants to merge 10 commits into from
Closed

Alert queue optimizations - v2 #7290

wants to merge 10 commits into from

Conversation

jufajardini
Copy link
Contributor

Previous PR: #7284

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/4943

Describe changes:

  • Rename functions to respect naming conventions
  • add warning message where Realloc could fail
  • short up function name
  • keep TODO comment about tx id frame
  • simplify some checks within PacketAlertFinalize
  • improve Sort Helper function to take tx_id into consideration

Once this work gets approved, then we can see if more work needs to be done in #7212

suricata-verify-pr: 808
OISF/suricata-verify#808

@jufajardini
detect: add initial infrastructure for alert queue
e921b83 
Initial work to bring the alert queue processing to
DetectEngineThreadCtx.

Task OISF#4943
@jufajardini
detect: sort alert queue from det_ctx
65f5d70 
Sort the PacketAlert queue that will be passed to the Packet handling
functions, so there's less work to be done with it from there.

Task OISF#4943
@jufajardini
detect/engine: use alert queue from det_ctx
cf27d0d 
Task OISF#4943
@jufajardini
detect/alert: process alert queue before appending
202e777 
Do all alert queue processing before actually appending
the PacketAlerts to the Packet's alert queue.

Task OISF#4943
@jufajardini
detect/alert: remove unused functions
529eda4 
Since we now only copy the PacketAlerts to the Packet's queue after
processing them, we no longer do packet alert appending from
detect-engine-alert, nor do we remove PacketAlerts from the queue (if
they're discarded by overflow or thresholding, they're not copied to the
final alert queue).

Task OISF#4943
@jufajardini
decode: make packet_alert_max configurable
45d13c1 
The maximum of possible alerts triggered by a unique packet was
hardcoded to 15. With usage of 'noalert' rules, that limit could be
reached somewhat easily. Make that configurable via suricata.yaml.

Conf Bug#4941

Task OISF#4207
@jufajardini
detect/stats: log out total of discarded alerts
d05d6ac 
Add a counter to our stats log with the total of alerts that have been
discarded due to packet alert queue overflow.

Task OISF#5179
@jufajardini
detect/stats: log out total of suppressed alerts
0c7ea82
@jufajardini
assorted: fix low hanging typos
978c659
@jufajardini
detect: update copyright years
df62776
@jufajardini jufajardini requested a review from a team as a code owner April 22, 2022 02:05
@jufajardini jufajardini mentioned this pull request Apr 22, 2022
Closed
@jufajardini
Copy link
Contributor Author

From what I gather, the CI failures are not related to this patch...

@suricata-qa
Copy link

Information:

ERROR: QA failed on tlpw1_files_sha256.

field test baseline %
tlpr1_stats_chk
.flow.memuse 496471168 539921728 91.95%

Pipeline 7151

@jufajardini jufajardini mentioned this pull request Apr 25, 2022
Closed
@jufajardini
Copy link
Contributor Author

Rebased in #7297

@jufajardini jufajardini deleted the alert-queue-det-ctx/v2 branch May 2, 2022 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
needs doc update
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jufajardini @suricata-qa