-
-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
delay alerting/"autoignore" until thresholds met #426
Comments
Hey @smith8917, thanks for the feature request! @vkotronis what do you thing about this? |
@smith8917 thanks for reporting this!
Therefore, holding a hijack alert will require some redesign of what ARTEMIS detection is doing. Namely, now we conflate the hijack events we store in PG with alerts. We would need separate tables for the events and the alerts; an event would accumulate data (as now), and the alert would only be generated when the corresponding thresholds are met. So in that case we still target objective number 1, but we modify significantly objective number 2. Need to think (also I would welcome your input on this), if we should do this for the next 1.Y version or for 2.0. What is more cumbersome are the frontend changes (at least as I see them) and the fact that the current hijacks table carries a lot of information that we need to move to the alerting table (this needs to be designed carefully). Assuming that this support is there, then on the backend I do not see any significant issues while implementing this logical change. I think this feature request is valuable and results in a better behavior for ARTEMIS; we also avoid the synchronous (periodic) timer checks and make alerting async based on the ignore criteria. In case you have cycles right now please feel free to check it out, otherwise I will take a spin on it when I manage to get some holiday time out of my military service. |
Suggested workflow:
@slowr if you have more ideas on this feel free to extend/adjust this proposed workflow. |
We could make use of an "autoignore" feature that is implemented in a way that reverses the current logic. Instead of "alert-but-ignore-if-not-critical-after-ramp-up", we'd like to see a "ignore-first, alert-if-critical-after-ramp-up" option.
The implementation would look much like a traditional monitoring system's threshold setup where the alerts (Slack, email, log, dashboard, etc) are only triggered once the threshold of "peers seen" and "ASes seen" have both been reached. You could "and" or "or" the two thresholds (or even better, make that an option for the user) to decide when to alert.
This would also render the "interval" variable unnecessary since you're not using a timer to determine whether ARTEMIS should alert. You might be able to make use of the this variable though - by setting it to "0", a user could enable this feature.
The text was updated successfully, but these errors were encountered: