Help Increasing Flow Memcap

catch22live · April 26, 2024, 1:50pm

Hello there, I’m using Suricata 6.0.11 in IDS mode.
I’m currently getting these “Flow emergency mode entered” notices and as a mitigation I was going to proceed with increasing the Flow memcap from 128mb to 512mb. I was going to allocate more memory to my virtual machine that I have Suricata installed on and then increase the flow memcap in the “suricata.yaml”. Once I’ve increased the flow memcap I would restart the suricata services.

I’m a Suricata Newbie and would like to know if it’s just as simple as changing the value in the suricata.yaml and restarting the suricata services or would I need to do or change anything else in order for the flow memcap to properly get increased?

For example: Would I need to increase another value or are there any dependencies before I increase the flow memcap? Are there any additional steps I need to take before I change the value of the flow memcap? What would be the procedures on increasing the flow memcap?

Would increasing the flow memcap break or stop suricata from running?

Andreas_Herz · July 31, 2024, 8:05pm

You should give it a try, depending on the amount of flows you might also want to increase the number of flow managers/recyclers:

flow:
  #managers: 1 # default to one flow manager
  #recyclers: 1 # default to one flow recycler thread

You can also post the suricata.log and stats.log so we can check if there are other values that might need a change.

Topic		Replies	Views
Looking for memcap tuning resources Help suricata	1	685	December 31, 2022
Question on tcpreassembly-memuse Help suricata	3	66	August 8, 2024
Suricata memory usage has been increasing Help community	13	3043	January 6, 2022
Memory increases as attack traffic keeps being played	2	334	April 6, 2023
Flow Emergency Mode entered Help suricata	4	1930	May 11, 2022

Help Increasing Flow Memcap

Related topics