Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SURICATA STREAM Packet with invalid timestamp

    Scheduled Pinned Locked Moved
    General pfSense Questions
    4
    5
    3.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Draithan
      last edited by

      Hey Everyone... Looking for some advice. I have alot of these alerts in the log and would like to resolve rather then hide...

      I am running XCP-NG on a Dell R620, with a pfsense VM. I have made sure all my clocks are in sync, turned off offloading on the VM's.

      I do get the odd "SURICATA STREAM excessive "retransmissions" as well.

      Any help appreciated! :) And yes I am relatively new to PFsense, Suricata etc. Thank you.

      NollipfSenseN S 2 Replies Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @Draithan
        last edited by

        @draithan It's a false positive and because that, I am no longer bothered by them.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          All of the Suricata stream events are for information only. They generally do not indicate threat. Many folks do disable lots of those built-in EVENTS-type rules, especially when running in Legacy Blocking Mode as they can result in needless blocks of traffic.

          1 Reply Last reply Reply Quote 1
          • S
            SteveITS Rebel Alliance @Draithan
            last edited by

            @draithan In our standard Suricata setup we:

            • check "Disable hardware checksum offload" in (System->Advanced->Networking)
            • Suricata: disable ALL stream-events.rules or it will block lots of traffic on false positives

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            D 1 Reply Last reply Reply Quote 0
            • D
              Draithan @SteveITS
              last edited by

              @steveits said in SURICATA STREAM Packet with invalid timestamp:

              @draithan In our standard Suricata setup we:

              • check "Disable hardware checksum offload" in (System->Advanced->Networking)
              • Suricata: disable ALL stream-events.rules or it will block lots of traffic on false positives

              Ok thanks for the confirmation. Appreciate it. Not seeing anyone posting to not disable..

              Appreciate everyones help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post