[Oisf-users] Reducing flow timeout values

Sat Apr 11 04:32:00 UTC 2020

Hi,
    I would like to tweak the flow timeout values in suricata.yaml. I
understand that there needs to be correlation between the values, but
say if I want to reduce the “established” value to 120 from 300/600
for default/tcp/udp/icmp cases would it cause any issues? I have the
following values.

flow-timeouts:

  default:
    new: 30
    established: 300
    closed: 0
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
    emergency-bypassed: 50
  tcp:
    new: 60
    established: 600
    closed: 60
    bypassed: 100
    emergency-new: 5
    emergency-established: 100
    emergency-closed: 10
    emergency-bypassed: 50
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50

Thanks,
Srini