Tuning out Suricata v5 Stream Excessive Retransmission
-
This Suricata stream excessive retransmission is pulling my hair ... even with pfSense webGUI's input is filling the alert tab.
So, I look it up and found this: https://blog.inliniac.net/2013/04/19/suricata-handling-of-multiple-different-synacks/ ... however, since that blog page is from year 2013, I prefer to get Bill's (@bmeeks) methodology on how best to tune this out.
-
I would simply disable that rule. It is primarily an "informative" rule, meaning it's just to let you know something is happening. It does not mean "attack in progress" ... .
-
I also found this post: https://forum.netgate.com/topic/124556/suricata-false-positives/2 However, in my case even thing the OS might need it been flagged for stream excessive retransmission.
-
@bmeeks Okay Bill, I'll just disable ... thank you!