Project

General

Profile

Actions

Feature #6293

open

Support disabling forced flow reuse in low memory conditions

Added by Cole Dishington over 1 year ago. Updated 2 months ago.

Status:
In Review
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

By default, flow reuse is forced in low memory conditions no matter the state of the flow (see src/flow-hash.c:FlowGetNew:690).

Could we add some config to optionally disable this forced flow-reuse behavior?

Actions #1

Updated by Victor Julien over 1 year ago

  • Target version changed from 7.0.1 to 7.0.2
Actions #2

Updated by Victor Julien about 1 year ago

  • Target version changed from 7.0.2 to 7.0.3
Actions #3

Updated by Victor Julien about 1 year ago

  • Target version changed from 7.0.3 to 8.0.0-beta1
Actions #4

Updated by Cole Dishington 11 months ago

PR=https://github.com/OISF/suricata/pull/10232
SV_PR=https://github.com/OISF/suricata-verify/pull/1607

Actions #5

Updated by Philippe Antoine 11 months ago

  • Status changed from New to In Review
Actions #6

Updated by Cole Dishington 2 months ago ยท Edited

This feature was requested due to HTTP packets, from a previously blocked TCP connection, getting through during high traffic load. This occurred when a blocked TCP connection's flow was re-used and subsequent packets from the previously blocked TCP connection were not categorized as HTTP.

This was only observed in emergency mode, as the flow timeouts are much shorter.

The solution proposed is to not re-use potentially active flows in emergency mode.

In this solution, new flows will be blocked until older flows are timeout out.

Actions

Also available in: Atom PDF