Pull request #3641: doc: add information about handling multiple detection in SSE

author Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>

Mon, 31 Oct 2022 10:31:55 +0000 (10:31 +0000)

committer Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>

Mon, 31 Oct 2022 10:31:55 +0000 (10:31 +0000)
author Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
Mon, 31 Oct 2022 10:31:55 +0000 (10:31 +0000)
committer Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
Mon, 31 Oct 2022 10:31:55 +0000 (10:31 +0000)
diff --git a/src/detection/dev_notes.txt b/src/detection/dev_notes.txt

index 186f2053c0a6aeb468531720aacd3626ea802baf..fad64db17c6590027737123244d3ae416c34a0f0 100644 (file)
--- a/src/detection/dev_notes.txt
+++ b/src/detection/dev_notes.txt
@@ -263,3 +263,9 @@ needed (since the rule has fired) and will be recalled.
  
  Pending continuations from the flow are picked up and updated/evaluated with
  respect to the buffer's source (e.g. flow direction, file context, etc.)
+
+In case of multiple calls for detection (the same packet and IPS context), continuations are created as usual.
+But just-created continuations are not evaluated immediately on the same packet, they will wait their turn in
+the next PDU. Additionally, if an inspector calls for detection on a single data block (like, a full
+attachment in HTTP), continuations can be disabled by providing 'no_flow' flag to file_data buffer or
+any other buffer to indicate that the block is complete and no continuations needed.
author	Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
	Mon, 31 Oct 2022 10:31:55 +0000 (10:31 +0000)
committer	Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
	Mon, 31 Oct 2022 10:31:55 +0000 (10:31 +0000)