From: Victor Julien <vjulien@oisf.net>
Date: Wed, 1 Jun 2022 12:57:52 +0000 (+0200)
Subject: stream/rules: add example rule for pkt_spurious_retransmission
X-Git-Tag: suricata-7.0.0-beta1~492
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d8edea904c051baaeb06d489aa739e7f1b3f2e3f;p=thirdparty%2Fsuricata.git

stream/rules: add example rule for pkt_spurious_retransmission
---

diff --git a/rules/stream-events.rules b/rules/stream-events.rules
index 39435819f5..66998449d9 100644
--- a/rules/stream-events.rules
+++ b/rules/stream-events.rules
@@ -94,5 +94,9 @@ alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; st
 # Packet with FIN+SYN set
 alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;)
 
-# next sid 2210061
+# Packet is a spurious retransmission, so a retransmission of already ACK'd data.
+# Disabled by default as this quite common and not malicious.
+#alert tcp any any -> any any (msg:"SURICATA STREAM spurious retransmission"; stream-event:pkt_spurious_retransmission; classtype:protocol-command-decode; sid:2210061; rev:1;)
+
+# next sid 2210062