From: Masud Hasan (mashasan) <mashasan@cisco.com>
Date: Fri, 18 Feb 2022 17:45:34 +0000 (+0000)
Subject: Pull request #3280: detection_filter: update dev notes to show multithreaded behavior
X-Git-Tag: 3.1.24.0~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed61f8328d0f7045dff68af193173402f08e9efc;p=thirdparty%2Fsnort3.git

Pull request #3280: detection_filter: update dev notes to show multithreaded behavior

Merge in SNORT/snort3 from ~MMATIRKO/snort3:dev-notes-df to master

Squashed commit of the following:

commit b1f85411b8978cb61d634f815ce960e6e54d560f
Author: Michael Matirko <mmatirko@cisco.com>
Date:   Thu Feb 17 11:59:55 2022 -0500

    detection_filter: update dev notes to show multithreaded behavior
---

diff --git a/src/filters/dev_notes.txt b/src/filters/dev_notes.txt
index 73b75091b..1d62ff216 100644
--- a/src/filters/dev_notes.txt
+++ b/src/filters/dev_notes.txt
@@ -1,10 +1,13 @@
 A collection of several different event and detection filtering function.
 The types of filters implemented here include:
 
-Detection Filter - One of the last steps of the rule evaluation process.  A
+Detection Filter - One of the last steps of the rule evaluation process. A
 detection filter can prevent a rule from firing based on a simple
 threshold.  For example, only generate an alert if the filter has been
-evaluated N times in M time period.
+evaluated N times in M time period. Events are accumulated into a
+multithreaded hash structure, to allow for real-time eventing as soon
+as the threshold value is crossed, regardless of which thread(s) processed
+the prior, non-eventing packets.
 
 Rate Filter - Based on configuration options, generically track multiple
 occurrences of the same event/address tuples.  The configuration can