Suricata

Can you share your stats.log from when this happens?

flow.end.tcp_state.syn_sent                   | Total                     | 41

Can you inspect the flow logs for these sessions? See if anything interesting is logged?

How to do that?

cat eve.json | jq -c 'select(.drop)|.drop.reason'|sort|uniq -c
   1118 "flow drop" 
     14 "stream error" 
    131 "stream midstream" 

I don't know the reason of the "stream error"s. To get more insight enable the stream option in the anomaly log type, and/or enable stream-events in stats.

In 7 we now default to dropping on exceptions like this. To change this you can set a liberal exception policy --set exception-policy=ignore.

The problem solved after changing the "exception-policy: auto" to "exception-policy: ignore" in suricata.yaml. Thank you.

However, I find at least the following websites cannot be accessed. I do not know the reason. Any idea?

https://dotdotnews.com/
https://www.bochk.com/tc/home.html

The problem solved by setting "exception-policy: ignore" to "exception-policy: bypass". Thank you.