| Feature | difficulty | importance | changes | notes |
|---|
| Alert payload in DB | medium | important | DB, Persistency, Input | Payload does not have to be stored in the memory since it's irrelevant for the correlation process. This feature requires creating a bypass for data and writing them instantly to the DB upon alert's arrival. A lot of extra data will be stored in the DB |
| Severity in MetaAlerts | hard | important | DB, Persistency, Filters | MetaAlerts do not contain a severity assessment field. There is only a "delta severity". Computing the severity in UI requires a long series of recurrent queries making it slow and impractical. Severity can be computed either during correlation phase generating extra traffic or during a DB syncing in case of two data bases. |
| Speed up shutdown | hard | important | Persistency | Every MetaAlert that is processed at the time of ACARM's shutdown needs to be marked in DB as not in use. This takes a considerable amount of time. Grouping those queries or changing policy not to store that data should work here. If a Cleanup procedure is in progress the shutdown time can go up to a couple of hours. Terminating the cleanup procedure should be considered. |
| Split cleanup procedure | hard | important | Persistency | Cleanup of old alerts and meta alerts is performed in a single transaction and takes several hours to complete. During this time DB performance is severely degraded. Furthermore, ACID-compliant DB has to store temporary data which lead to running out of disk space and increasing SSD wear. |
| Separate UI database | medium | medium | UI, DB | A separate database for UI will increase responsiveness of the Web Interface since the DB will not be shared by the UI and the ACARM. This step will also allow us to design the DB for UI including a lot of precomputed data to increase the UI responsiveness even further. |
| OSSIM input | medium | medium | Input | OSSIM input will increase ACARM's functionality by providing a way to read alerts from new versions of The Snort and a bunch of other sensors. This will also let us to be independent from the Prelude project. |
| Simplify log messages | easy | medium | Logger | Log messages in non-debug mode should be stripped of source code filenames. |
| Postgres partitioning tables | medium | medium | Persistency | Postgres table partitioning may give a performance gain. |