From: Juliana Fajardini <jufajardini@oisf.net>
Date: Wed, 29 May 2024 17:26:54 +0000 (-0300)
Subject: userguide/upgrade: add note about alerts' increase
X-Git-Tag: suricata-8.0.0-beta1~1184
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=43b998aa73b5836f29b73ac2dd979ae84ede2406;p=thirdparty%2Fsuricata.git

userguide/upgrade: add note about alerts' increase

With triggering stream reassembly early, since for certain types of
rules there may be more alerts triggered - even in IPS mode, make this
clear in the upgrading section.

Bug #7026
---

diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
index 4af0ad1c72..4de3971c94 100644
--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@@ -57,6 +57,9 @@ Major changes
   Instead, both the SDP parser and logger depend on being invoked by another parser (or logger).
 - ARP decoder and logger have been introduced.
   Since ARP can be quite verbose and produce many events, the logger is disabled by default.
+- It is possible to see an increase of alerts, for the same rule-sets, if you
+  use many stream/payload rules, due to Suricata triggering TCP stream
+  reassembly earlier.
 
 Upgrading 6.0 to 7.0
 --------------------