Capture file not always exsits for alerts (Suricata v.7 Conditional PCAP)

Jackojack7 · April 23, 2023, 7:15am

Hello,
I am using the new feature Conditional PCAP on Suricata v.7.

When I run Suricata with pcap-log enabled, conditional set to alerts and mode set to multi - Suricata indeed logs the alerts to PCAP file but some of the alerts are logged to eve.json without the capture_file field.

This is a problem because I use the capture_file field to determine which PCAP file the alerts were logged to so that I can extract the relevant packets for the alerts (As suggested here - video

Here’s my pcap-log settings:

enabled: yes
filename: pcap.%n.%t
limit: 20mb
max-files: 5
compression: none
mode: multi
dir: /var/log/suricata/pcap
use-stream-depth: no
honor-pass-rules: no
conditional: alerts

Eric_Leblond · April 23, 2023, 8:10am

Hello,

Do you see this behavior on specific signatures ?

Jackojack7 · April 23, 2023, 8:54am

Hmm, I can’t say much about that.
I know that for the PCAPs I played to it, I got the problem on these 2 signatures:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)\"; flow:to_server,established; http.user_agent; content:\"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine\"; nocase; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:exploit-kit; sid:2009358; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
alert http $HOME_NET any -> any any (msg:\"ET SCAN Possible Nmap User-Agent Observed\"; flow:to_server,established; http.user_agent; content:\"|20|Nmap\"; fast_pattern; classtype:exploit-kit; sid:2024364; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2017_06_08, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Informational, updated_at 2020_08_06;)

However, I got those signatures to raise 58 alerts but just 8 of them came without capture_file.

Eric_Leblond · April 23, 2023, 9:08am

So you are replaying a pcap file ? In this case, there is a possibility that the alerts are coming from flow timeout handling. If this is the case, the .pkt_src field should be set in the alert to something that is not “wire/pcap” which could prevent the pcap storage (I need to check that).

Jackojack7 · April 23, 2023, 10:16am

Yes, you are right, I am playing PCAP.
But I think I didn’t quite understand your advice. should I change those alerts in order to get the “capture_file”?

oferdagan · April 9, 2025, 1:32pm

Hi, @Eric_Leblond
I also encountered this issue. Is there a solution? I need some way to correlate between an alert and pcap-log.

Topic		Replies	Views
Conditional PCAP may not log packets for all alerts	1	692	April 29, 2023
Conditional pcap-log fails to log packets for some alerts when using "pcap-file-continuous" flag Help suricata	7	1145	July 31, 2023
Pcap Capture - Include 3WHS and remaining flow data before TCP/HTTP alert	1	61	August 7, 2024
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	1081	June 8, 2023
Conditional PCAP Logging with tag may lead to duplicated packets in certain cases Help	2	32	April 8, 2025

Capture file not always exsits for alerts (Suricata v.7 Conditional PCAP)

Related topics