From d8edea904c051baaeb06d489aa739e7f1b3f2e3f Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Wed, 1 Jun 2022 14:57:52 +0200
Subject: [PATCH] stream/rules: add example rule for
 pkt_spurious_retransmission

---
 rules/stream-events.rules | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/stream-events.rules b/rules/stream-events.rules
index 39435819f5..66998449d9 100644
--- a/rules/stream-events.rules
+++ b/rules/stream-events.rules
@@ -94,5 +94,9 @@ alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; st
 # Packet with FIN+SYN set
 alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;)
 
-# next sid 2210061
+# Packet is a spurious retransmission, so a retransmission of already ACK'd data.
+# Disabled by default as this quite common and not malicious.
+#alert tcp any any -> any any (msg:"SURICATA STREAM spurious retransmission"; stream-event:pkt_spurious_retransmission; classtype:protocol-command-decode; sid:2210061; rev:1;)
+
+# next sid 2210062