Pull request #4413: filters: update dev_notes.txt with details for event_filter

author Yehor Velykozhon -X (yvelykoz - SOFTSERVE INC at Cisco) <yvelykoz@cisco.com>

Tue, 6 Aug 2024 13:03:43 +0000 (13:03 +0000)

committer Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>

Tue, 6 Aug 2024 13:03:43 +0000 (13:03 +0000)
author Yehor Velykozhon -X (yvelykoz - SOFTSERVE INC at Cisco) <yvelykoz@cisco.com>
Tue, 6 Aug 2024 13:03:43 +0000 (13:03 +0000)
committer Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
Tue, 6 Aug 2024 13:03:43 +0000 (13:03 +0000)
diff --git a/src/filters/dev_notes.txt b/src/filters/dev_notes.txt

index 1d62ff216faf03981d80a4fa23ecc62ebe570d2b..db6effbd47280e53b899247eb2c212768b60b890 100644 (file)
--- a/src/filters/dev_notes.txt
+++ b/src/filters/dev_notes.txt
@@ -20,8 +20,12 @@ attacks.
  Event Filter - After the rules engine generates whatever actions it needs
  to, the Event Filter is then invoked to filter the logging of these events.
  Once again, tracking by event/address tuples, block the logging of events
-if the configured counts per time is exceeded.  This will tend to reduce
-the logging system load for rules that fire too often.
+if the configured counts per time is exceeded. This will tend to reduce
+the logging system load for rules that fire too often. Due to technical
+difficulties of a multi-threaded hash table, a thread local table is used.
+Thus, the modules work within a packet thread. A user might see events
+from different packet threads, even if they would be suppressed be it a
+single packet thread.
  
  All of the filters in this area are a collection of similar services
  brought together to share the same event tracking logic.  sfthreshold.cc
author	Yehor Velykozhon -X (yvelykoz - SOFTSERVE INC at Cisco) <yvelykoz@cisco.com>
	Tue, 6 Aug 2024 13:03:43 +0000 (13:03 +0000)
committer	Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
	Tue, 6 Aug 2024 13:03:43 +0000 (13:03 +0000)