Suricata 7 Flow emergency mode entered

atbohmer · October 5, 2023, 12:40pm

A few times this has shown up on a Suricata 7.0.1 Redhat 8 server with DPDK running:

Oct 5 14:14:14 suricata[4109]: Notice: flow-manager: Flow emergency mode entered… [FlowManager:flow-manager.c:802]
Oct 5 14:14:24 suricata[4109]: Notice: flow-manager: Flow emergency mode over, back to normal… unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1696508064, ts.tv_usec:209211) flow_spare_q status(): 237% flows at the queue [FlowManager:flow-manager.c:868]

Oct 5 14:30:11 suricata[4109]: Notice: flow-manager: Flow emergency mode entered… [FlowManager:flow-manager.c:802]
Oct 5 14:30:11 suricata[4109]: Notice: flow-manager: Flow emergency mode entered… [FlowManager:flow-manager.c:802]

What is the best approach, reducing flowtimeout values or such?

Thanks,
Andre

lukashino · October 5, 2023, 1:08pm

Yes, reducing flow timeouts can be one of the options. The other I can think of is by increasing flow.size to have a larger flow table.

Flow size settings is here: https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1424

Topic		Replies	Views
Flow Emergency Mode entered Help suricata	4	1641	May 11, 2022
Accumulation of flow-timeout inuse Help	9	7865	May 26, 2021
Help Increasing Flow Memcap Help suricata	0	32	April 26, 2024
Suricata flow keyword causing cpu/mem overload Help	3	450	January 17, 2023
Several question(mpm, memory leak) Help	9	1050	May 26, 2021

Suricata 7 Flow emergency mode entered

Related Topics