From: Yehor Velykozhon -X (yvelykoz - SOFTSERVE INC at Cisco) Date: Tue, 6 Aug 2024 13:03:43 +0000 (+0000) Subject: Pull request #4413: filters: update dev_notes.txt with details for event_filter X-Git-Tag: 3.3.3.0~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=daf3ca3bc49b70201780e0092b8ef79dd3691f92;p=thirdparty%2Fsnort3.git Pull request #4413: filters: update dev_notes.txt with details for event_filter Merge in SNORT/snort3 from ~YVELYKOZ/snort3:doc_upd to master Squashed commit of the following: commit 3ee7d1f343c0cf487ed51b7fb10ef1d9d32d36d1 Author: Yehor Velykozhon Date: Tue Aug 6 11:47:52 2024 +0300 filters: update dev_notes.txt with details for event_filter --- diff --git a/src/filters/dev_notes.txt b/src/filters/dev_notes.txt index 1d62ff216..db6effbd4 100644 --- a/src/filters/dev_notes.txt +++ b/src/filters/dev_notes.txt @@ -20,8 +20,12 @@ attacks. Event Filter - After the rules engine generates whatever actions it needs to, the Event Filter is then invoked to filter the logging of these events. Once again, tracking by event/address tuples, block the logging of events -if the configured counts per time is exceeded. This will tend to reduce -the logging system load for rules that fire too often. +if the configured counts per time is exceeded. This will tend to reduce +the logging system load for rules that fire too often. Due to technical +difficulties of a multi-threaded hash table, a thread local table is used. +Thus, the modules work within a packet thread. A user might see events +from different packet threads, even if they would be suppressed be it a +single packet thread. All of the filters in this area are a collection of similar services brought together to share the same event tracking logic. sfthreshold.cc