[Oisf-users] Suricata 1.3.4 problem

Martin Holste mcholste at gmail.com
Thu Dec 6 01:05:45 UTC 2012


Probably the flow timeouts as discussed earlier this week on the list.  Try
out my aggressive flow timeout example and see if that fixes it.


On Wed, Dec 5, 2012 at 5:53 PM, Paul Halliday <paul.halliday at gmail.com>wrote:

> Hi,
>
> Not quite sure whats happening but Suricata stops generating alerts
> after about 30 minutes of operation. Bandwidth during this test never
> peaked above 50. Running on FreeBSD 9.1
>
>
> MEM and CPU for the process (~30 second interval):
>
> 1354748069,804M,26.37%
> 1354748099,807M,25.15%
> 1354748129,812M,31.10%
> 1354748159,818M,26.76%
> ...
> 1354749629,1061M,27.25%
> 1354749659,1065M,24.27%
> 1354749689,1069M,26.12%
> 1354749719,1089M,26.12%
> 1354749749,1090M,36.38%
> 1354749779,1092M,108.30%
> 1354749809,1095M,108.11%
> 1354749839,1098M,108.06%
> 1354749869,1098M,196.78%
> 1354749899,1098M,200.00%
> 1354749929,1098M,200.00%
> 1354749959,1098M,200.00%
> 1354749989,1098M,200.00%
>
> In around the spike from 36 to 108 utilization Suricata throws this:
>
> 5/12/2012 -- 19:21:50 - <Info> - Flow emergency mode over, back to
> normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1354749710,
> ts.tv_usec:449629) flow_spare_q status(): 38% flows at the queue
>
> A knob I need to turn somewhere?
>
> Thanks!
>
> --
> Paul Halliday
> http://www.pintumbler.org/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121205/9ae854e7/attachment-0002.html>


More information about the Oisf-users mailing list