Upgrading Suricata 1.3 to Suricata 1.4¶

A lot has been changed and improved between Suricata 1.3 and 1.4. Some of these changes have an effect on the configuration.

defrag engine¶

The defrag engine has been rewritten, see #512, #540. The most important visible change is the addition of a "memcap" option, similar to flow, stream and host tables:

defrag:
  memcap: 32mb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 60