Suricata 6/7 - Benefits or Problems of Midstream Pickup

I am trying to understand the the benefits or problems with enabling midstream pickup. This funtionality is disabled in Suricata 6+ default but was enabled in Suricata 4.

Several years ago my employer switched from Suricata 4 to Suricata 6 (and we are in the process of moving to v7 soon). One of the things I noticed is this feature being enabled. Originally, my employeer used Yaff and they matched the Suricata 4 configuration to that.

At then moment, we get hundreds to thousands of alerts triggered through our client networks with midstream pickup. These alerts are not reviewed, because of the number of alerts generated and the uncertainly of the information.

My understanding is that that we can’t be sure of the direction or content of the traffic when this triggers. We do not currently use async-oneside either.

Should this be kept enabled for all installations or only enabled in some cases? I am trying to understand so we can either remove the configuration and stop generating the alerts we do not act on currently or figure out how to make the alerts more actiable in some way.

I would only enable it if you are certain that you need to pick up on midstream, but it would be better to ensure that you always see the full flow in Suricata.
While the option being enabled might help with some cornercases it is better to ensure proper traffic forwarding.
So in the end it depends on your environment and some testing.

@Andreas_Herz That’s a good question. I work for a MSSP with multiple customers and it has been enabled by default for all customer which creates a bunch of events which are not directly sent to customers. hmm.