I cannot think of an immediate problem here but more info will be appreciated. Suricata is designed to work continuously and there should not be a single setting to “stop after 2 days/ 1000 flows etc.”
When it happens the next time try to gather more info. Some questions to answer:
- Does it generate any other logs except alerts, e.g. flow records, protocol layer records etc.?
- Are stats increasing?
- Is there anything in visible in the suricata.log, e.g. Flow emergency?
- Can you verify that Suricata is still running - generate coredump if it crashes - that can be very helpful
- Can you identify the last pcap it processed and can you reproduce the issue?
- Is the TX script working fine? Can you see the traffic with other tools, e.g. tcpdump?
Btw, if you are analyzing only PCAPs wouldn’t it be better to use PCAP reading mode and the --pcap-file-continuous option?