From: Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) Date: Mon, 31 Oct 2022 10:31:55 +0000 (+0000) Subject: Pull request #3641: doc: add information about handling multiple detection in SSE X-Git-Tag: 3.1.47.0~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fe3b90ac3216dabc9854abe46f4f01db6a16ae1;p=thirdparty%2Fsnort3.git Pull request #3641: doc: add information about handling multiple detection in SSE Merge in SNORT/snort3 from ~YVELYKOZ/snort3:doc_sse_mult_proc_upd to master Squashed commit of the following: commit 6e8e6fffd54702cad4487ea5b54f2715b0c85f48 Author: Yehor Velykozhon Date: Thu Oct 27 16:46:20 2022 +0300 doc: add information about handling multiple detection in SSE --- diff --git a/src/detection/dev_notes.txt b/src/detection/dev_notes.txt index 186f2053c..fad64db17 100644 --- a/src/detection/dev_notes.txt +++ b/src/detection/dev_notes.txt @@ -263,3 +263,9 @@ needed (since the rule has fired) and will be recalled. Pending continuations from the flow are picked up and updated/evaluated with respect to the buffer's source (e.g. flow direction, file context, etc.) + +In case of multiple calls for detection (the same packet and IPS context), continuations are created as usual. +But just-created continuations are not evaluated immediately on the same packet, they will wait their turn in +the next PDU. Additionally, if an inspector calls for detection on a single data block (like, a full +attachment in HTTP), continuations can be disabled by providing 'no_flow' flag to file_data buffer or +any other buffer to indicate that the block is complete and no continuations needed.