
Probably the flow timeouts as discussed earlier this week on the list.  Try out my aggressive flow timeout example and see if that fixes it.<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Dec 5, 2012 at 5:53 PM, Paul Halliday <span dir="ltr"><<a href="mailto:paul.halliday@gmail.com" target="_blank">paul.halliday@gmail.com</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>

<br>

Not quite sure whats happening but Suricata stops generating alerts<br>

after about 30 minutes of operation. Bandwidth during this test never<br>

peaked above 50. Running on FreeBSD 9.1<br>

<br>

<br>

MEM and CPU for the process (~30 second interval):<br>

<br>

1354748069,804M,26.37%<br>

1354748099,807M,25.15%<br>

1354748129,812M,31.10%<br>

1354748159,818M,26.76%<br>

...<br>

1354749629,1061M,27.25%<br>

1354749659,1065M,24.27%<br>

1354749689,1069M,26.12%<br>

1354749719,1089M,26.12%<br>

1354749749,1090M,36.38%<br>

1354749779,1092M,108.30%<br>

1354749809,1095M,108.11%<br>

1354749839,1098M,108.06%<br>

1354749869,1098M,196.78%<br>

1354749899,1098M,200.00%<br>

1354749929,1098M,200.00%<br>

1354749959,1098M,200.00%<br>

1354749989,1098M,200.00%<br>

<br>

In around the spike from 36 to 108 utilization Suricata throws this:<br>

<br>

5/12/2012 -- 19:21:50 - <Info> - Flow emergency mode over, back to<br>

normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1354749710,<br>

ts.tv_usec:449629) flow_spare_q status(): 38% flows at the queue<br>

<br>

A knob I need to turn somewhere?<br>

<br>

Thanks!<br>

<span class="HOEnZb"><font color="#888888"><br>

--<br>

Paul Halliday<br>

<a href="http://www.pintumbler.org/" target="_blank">http://www.pintumbler.org/</a><br>

_______________________________________________<br>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>

</font></span></blockquote></div><br></div>