For posterity, I found references in the web forum that the "stream"
rules basically don't work the way IDS is set up on pfSense so should be
disabled. I believe the issue is that it looks at the traffic in parallel so
packets might be processed out of order.
Still not sure why
I got Suricata installed and operating. I found, oddly, that the
highest volume of packet errors alerted was to/from Symantec IPs. I added that
subnet as "trusted" but apparently that doesn't take effect unless automatic
blocking is also enabled. I have not had much luck having it act