[Oisf-users] SURICATA STREAM excessive retransmissions
Vieri
rentorbuy at yahoo.com
Mon Jan 16 10:05:26 UTC 2017
Hi,
I'm getting quite a few hits for this rule (shipped with Suricata):
/etc/suricata/rules/stream-events.rules:alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;)
Usually it affects traffic from an HTTP server in HOME_NET (source port 443) to a remote web client in EXTERNAL_NET.
Doesn't "excessive retransmissions" usually mean there's a network congestion? This could be my case since I might have some internet provider issues.
Having "excessive retransmissions" on a LAN might be more worrying.
Wouldn't it be better to have different threshold values for tcp.retransmission.count depending on whether traffic flow is to or from EXTERNAL_NET?
Thanks,
Vieri
More information about the Oisf-users
mailing list