doc: update configuration with flow rate-tracking

author Shivani Bhardwaj <shivani@oisf.net>

Wed, 2 Apr 2025 09:17:21 +0000 (14:47 +0530)

committer Victor Julien <victor@inliniac.net>

Thu, 3 Apr 2025 08:05:51 +0000 (10:05 +0200)
author Shivani Bhardwaj <shivani@oisf.net>
Wed, 2 Apr 2025 09:17:21 +0000 (14:47 +0530)
committer Victor Julien <victor@inliniac.net>
Thu, 3 Apr 2025 08:05:51 +0000 (10:05 +0200)
diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst

index 1d8047e1e26803d6c6ea53bb4b887616e236f840..e79db426273b76ed68e638349dd89e6e73fd34fa 100644 (file)
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -1101,7 +1101,11 @@ what to do in case memcap is hit: 'drop-packet', 'pass-packet', 'reject', or
      memcap-policy: bypass         #How to handle the flow if memcap is reached (IPS mode)
      hash-size: 65536              #Flows will be organized in a hash-table. With this option you can set the
                                    #size of the hash-table.
-    Prealloc: 10000               #The amount of flows Suricata has to keep ready in memory.
+    prealloc: 10000               #The amount of flows Suricata has to keep ready in memory.
+    rate-tracking:                #Enable tracking of flows by the following rate definition; mark them
+                                  #as elephant flows if they exceed the defined rate. Disabled by default.
+      bytes: 1GiB                 #Number of bytes to track
+      interval: 10                #Time interval in seconds for which tracking should be done
  
  At the point the memcap will still be reached, despite prealloc, the
  flow-engine goes into the emergency-mode. In this mode, the engine
author	Shivani Bhardwaj <shivani@oisf.net>
	Wed, 2 Apr 2025 09:17:21 +0000 (14:47 +0530)
committer	Victor Julien <victor@inliniac.net>
	Thu, 3 Apr 2025 08:05:51 +0000 (10:05 +0200)