Feature #6293
openSupport disabling forced flow reuse in low memory conditions
Description
By default, flow reuse is forced in low memory conditions no matter the state of the flow (see src/flow-hash.c:FlowGetNew:690).
Could we add some config to optionally disable this forced flow-reuse behavior?
Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.1 to 7.0.2
Updated by Victor Julien about 1 year ago
- Target version changed from 7.0.2 to 7.0.3
Updated by Victor Julien about 1 year ago
- Target version changed from 7.0.3 to 8.0.0-beta1
Updated by Cole Dishington 11 months ago
PR=https://github.com/OISF/suricata/pull/10232
SV_PR=https://github.com/OISF/suricata-verify/pull/1607
Updated by Cole Dishington 3 months ago ยท Edited
This feature was requested due to HTTP packets, from a previously blocked TCP connection, getting through during high traffic load. This occurred when a blocked TCP connection's flow was re-used and subsequent packets from the previously blocked TCP connection were not categorized as HTTP.
This was only observed in emergency mode, as the flow timeouts are much shorter.
The solution proposed is to not re-use potentially active flows in emergency mode.
In this solution, new flows will be blocked until older flows are timeout out.