I am trying to understand the the benefits or problems with enabling midstream pickup. This funtionality is disabled in Suricata 6+ default but was enabled in Suricata 4.
Several years ago my employer switched from Suricata 4 to Suricata 6 (and we are in the process of moving to v7 soon). One of the things I noticed is this feature being enabled. Originally, my employeer used Yaff and they matched the Suricata 4 configuration to that.
At then moment, we get hundreds to thousands of alerts triggered through our client networks with midstream pickup. These alerts are not reviewed, because of the number of alerts generated and the uncertainly of the information.
My understanding is that that we can’t be sure of the direction or content of the traffic when this triggers. We do not currently use async-oneside either.
Should this be kept enabled for all installations or only enabled in some cases? I am trying to understand so we can either remove the configuration and stop generating the alerts we do not act on currently or figure out how to make the alerts more actiable in some way.