Bug #4688
Updated by Victor Julien about 3 years ago
Fix for QA ticket #4672
Bad int handling leads to missed inspection when prefilter engine list gets too long. In addition to this there is a logic issue that leads to the available bit-space for tracking prefilter engines to overflow. The fix for this is more intrusive, and is not backported to Suricata 5.0. Suricata 5.0 does detect this condition and will issue a warning by default, or an error with @-T@.
If you encounter this warning the fix is to upgrade to 6.0.4+.
The warning is
<pre>
<Warning> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - max number of prefilter engines exceeded (100 >= 62). Risk of False Negatives. See ticket #4688.
</pre>
The (fatal) error in case of @-T@ is
<pre>
<Error> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - max number of prefilter engines exceeded (100 >= 62). Risk of False Negatives. See ticket #4688.
</pre>