Different way to change the flow timeouts (apart from multi-tenancy)

Please include the following information with your help request:

  • Suricata version
  • Operating system and/or Linux distribution
  • How you installed Suricata (from source, packages, something else)

I’m thinking of different ways change the flow timeouts. I have a handful of servers / protocols that have very long lived flows and the default timeout needs to be updated, however I only wanted to update it for these servers.

The only way that I could think of doing this is to capture the traffic for the servers on a vlan or seperate interface (device) and then use multi-tenancy.

I wanted to ask if there’s any other way to achieve this ?

many thanks

You could use different suricata instances on different interfaces but this could be a more complex setup instead of finding a proper value that would work for all environments. But it would be proper isolated.