stream/rules: disable depth rule by default

author Victor Julien <vjulien@oisf.net>

Tue, 4 Oct 2022 08:48:56 +0000 (10:48 +0200)

committer Victor Julien <vjulien@oisf.net>

Tue, 4 Oct 2022 08:48:56 +0000 (10:48 +0200)
author Victor Julien <vjulien@oisf.net>
Tue, 4 Oct 2022 08:48:56 +0000 (10:48 +0200)
committer Victor Julien <vjulien@oisf.net>
Tue, 4 Oct 2022 08:48:56 +0000 (10:48 +0200)
diff --git a/rules/stream-events.rules b/rules/stream-events.rules

index a267331875fa4fe383e7c0c8b08596cb9a5bfa78..7ffeb6b5d30b10ff4a70953240fcf84a1bae89dc 100644 (file)
--- a/rules/stream-events.rules
+++ b/rules/stream-events.rules
@@ -98,6 +98,8 @@ alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:
  # Disabled by default as this quite common and not malicious.
  #alert tcp any any -> any any (msg:"SURICATA STREAM spurious retransmission"; stream-event:pkt_spurious_retransmission; classtype:protocol-command-decode; sid:2210061; rev:1;)
  
-alert tcp any any -> any any (msg:"SURICATA STREAM reassembly depth reached"; stream-event:reassembly_depth_reached; classtype:protocol-command-decode; sid:2210062; rev:1;)
+# Depth setting reached for a stream. Very common in normal traffic, so disable by default.
+#alert tcp any any -> any any (msg:"SURICATA STREAM reassembly depth reached"; stream-event:reassembly_depth_reached; classtype:protocol-command-decode; sid:2210062; rev:1;)
+
  # next sid 2210063
author	Victor Julien <vjulien@oisf.net>
	Tue, 4 Oct 2022 08:48:56 +0000 (10:48 +0200)
committer	Victor Julien <vjulien@oisf.net>
	Tue, 4 Oct 2022 08:48:56 +0000 (10:48 +0200)