Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tuning out Suricata v5 Stream Excessive Retransmission

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NollipfSenseN
      NollipfSense
      last edited by

      This Suricata stream excessive retransmission is pulling my hair ... even with pfSense webGUI's input is filling the alert tab.

      Screen Shot 2020-05-08 at 7.06.59 AM.png

      So, I look it up and found this: https://blog.inliniac.net/2013/04/19/suricata-handling-of-multiple-different-synacks/ ... however, since that blog page is from year 2013, I prefer to get Bill's (@bmeeks) methodology on how best to tune this out.

      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        I would simply disable that rule. It is primarily an "informative" rule, meaning it's just to let you know something is happening. It does not mean "attack in progress" ... ☺.

        NollipfSenseN 1 Reply Last reply Reply Quote 1
        • NollipfSenseN
          NollipfSense
          last edited by

          I also found this post: https://forum.netgate.com/topic/124556/suricata-false-positives/2 However, in my case even thing the OS might need it been flagged for stream excessive retransmission.

          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

          1 Reply Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense @bmeeks
            last edited by

            @bmeeks Okay Bill, I'll just disable ... thank you!

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.