The Suricata 

Stream

 set of signatures generate alot of noise. They should be interpreted more as 

info

 level logs, more focused on adding context to a situation. Tbh, I typically disable them on PROD deployments. The most likely reason is because the Fleet server is offline.

Yep I been disabling the alerts and rules as I see them, I don't really care if an ACK is sent out of sequence or whatever. Mostly posting incase it is an issue in the way they are doing the TCP handshakes or something that needs to be remedied. yea probably is the server is offline so it's not getting the SYN ACK or whatever somes next.

I am 99.5% sure there's nothing custom about how osquery or Fleet does TCP-IP