Hello there, I’m using Suricata 6.0.11 in IDS mode.
I’m currently getting these “Flow emergency mode entered” notices and as a mitigation I was going to proceed with increasing the Flow memcap from 128mb to 512mb. I was going to allocate more memory to my virtual machine that I have Suricata installed on and then increase the flow memcap in the “suricata.yaml”. Once I’ve increased the flow memcap I would restart the suricata services.
I’m a Suricata Newbie and would like to know if it’s just as simple as changing the value in the suricata.yaml and restarting the suricata services or would I need to do or change anything else in order for the flow memcap to properly get increased?
For example: Would I need to increase another value or are there any dependencies before I increase the flow memcap? Are there any additional steps I need to take before I change the value of the flow memcap? What would be the procedures on increasing the flow memcap?
Would increasing the flow memcap break or stop suricata from running?