Capture file not always exsits for alerts (Suricata v.7 Conditional PCAP)

I am using the new feature Conditional PCAP on Suricata v.7.

When I run Suricata with pcap-log enabled, conditional set to alerts and mode set to multi - Suricata indeed logs the alerts to PCAP file but some of the alerts are logged to eve.json without the capture_file field.

This is a problem because I use the capture_file field to determine which PCAP file the alerts were logged to so that I can extract the relevant packets for the alerts (As suggested here - video

Here’s my pcap-log settings:

enabled: yes
filename: pcap.%n.%t
limit: 20mb
max-files: 5
compression: none
mode: multi
dir: /var/log/suricata/pcap
use-stream-depth: no
honor-pass-rules: no
conditional: alerts


Do you see this behavior on specific signatures ?

1 Like

Hmm, I can’t say much about that.
I know that for the PCAPs I played to it, I got the problem on these 2 signatures:

  • alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)\"; flow:to_server,established; http.user_agent; content:\"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine\"; nocase; depth:46; reference:url,; classtype:exploit-kit; sid:2009358; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
  • alert http $HOME_NET any -> any any (msg:\"ET SCAN Possible Nmap User-Agent Observed\"; flow:to_server,established; http.user_agent; content:\"|20|Nmap\"; fast_pattern; classtype:exploit-kit; sid:2024364; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2017_06_08, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Informational, updated_at 2020_08_06;)

However, I got those signatures to raise 58 alerts but just 8 of them came without capture_file.

So you are replaying a pcap file ? In this case, there is a possibility that the alerts are coming from flow timeout handling. If this is the case, the .pkt_src field should be set in the alert to something that is not “wire/pcap” which could prevent the pcap storage (I need to check that).

1 Like

Yes, you are right, I am playing PCAP.
But I think I didn’t quite understand your advice. should I change those alerts in order to get the “capture_file”?