Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Seeking Insight on IPV6 Suricata Alerts – "Excessive Retransmissions" and "Wrong Direction First Data"

    Scheduled Pinned Locked Moved IPv6
    ipv6suricata
    3 Posts 3 Posters 78 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee
      last edited by JonathanLee

      Hello fellow Netgate community members can you please help?

      I'm seeing repeated Suricata alerts related to:

      STREAM excessive retransmissions (SID: 1:2210054)
      Applayer wrong direction first data (SID: 1:2260001)

      Example entries:

      2a03:​2880:​f031:​24:​face:​b00c:​0:​146f    	07/13/2025 07:30:28	SURICATA STREAM excessive retransmissions	1:2210054
2600:​1406:​2e00:​481:​:​2903    	07/13/2025 07:56:57	SURICATA Applayer Wrong direction first Data	1:2260001	
2600:​1406:​2e00:​49c:​:​441d    	07/13/2025 07:57:04	SURICATA Applayer Wrong direction first Data	1:2260001
2600:​1406:​2e00:​498:​:​441d    	07/13/2025 08:23:05	SURICATA Applayer Wrong direction first Data	1:2260001
2600:​1406:​2e00:​49b:​:​441d    	07/13/2025 08:25:54	SURICATA Applayer Wrong direction first Data	1:2260001	
2600:​1406:​2e00:​48f:​:​2a1    	07/13/2025 08:26:28	SURICATA Applayer Wrong direction first Data	1:2260001
2600:​1406:​2e00:​498:​:​2a1    	07/13/2025 08:28:38	SURICATA Applayer Wrong direction first Data	1:2260001

      Can anyone shed light on:

      Possible causes of excessive retransmissions?
      Could this indicate packet loss, asymmetric routing, or a misconfigured client/server?
      What triggers "wrong direction first data"?
      My understanding is this may occur when application-layer data is received before the expected TCP handshake sequence or on the wrong side of the connection.
      Any clarification or pointers for further investigation would be greatly appreciated.

      Thanks in advance!

      My IPV6 is fully functional

      Make sure to upvote

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @JonathanLee
        last edited by

        @JonathanLee We disable the stream alerts as I recall. Lots of false positives.

        Have seen the direction one, I suspect it’s a side effect of the legacy processing mode which looks at copies of the packets.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 1
        • bmeeksB
          bmeeks
          last edited by bmeeks

          @JonathanLee said in Seeking Insight on IPV6 Suricata Alerts – "Excessive Retransmissions" and "Wrong Direction First Data":

          SURICATA Applayer Wrong direction first Data

          Here is the link in the Suricata docs for this stream rule alert: https://docs.suricata.io/en/latest/rules/app-layer.html#applayer-wrong-direction-first-data.

          The short version of the story is that even today, after several attempted fixes within Suricata, the coders of client/server software apps seem to still be able via crappy coding to craft network flows that trip up the Suricata parser. This is basically a harmless error.

          As @SteveITS said, the best thing is to disable all the Suricata stream event rules. They are informational anyway and don't necessarily indicate malicious traffic.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.