I am using the new feature Conditional PCAP on Suricata v.7.
When I run Suricata with
pcap-log enabled, conditional set to
alerts and mode set to
multi - Suricata indeed logs the alerts to PCAP file but some of the alerts are logged to
eve.json without the
This is a problem because I use the
capture_file field to determine which PCAP file the alerts were logged to so that I can extract the relevant packets for the alerts (As suggested here - video
Do you see this behavior on specific signatures ?
Hmm, I can’t say much about that.
I know that for the PCAPs I played to it, I got the problem on these 2 signatures:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)\"; flow:to_server,established; http.user_agent; content:\"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine\"; nocase; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:exploit-kit; sid:2009358; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
alert http $HOME_NET any -> any any (msg:\"ET SCAN Possible Nmap User-Agent Observed\"; flow:to_server,established; http.user_agent; content:\"|20|Nmap\"; fast_pattern; classtype:exploit-kit; sid:2024364; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2017_06_08, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Informational, updated_at 2020_08_06;)
However, I got those signatures to raise 58 alerts but just 8 of them came without
So you are replaying a pcap file ? In this case, there is a possibility that the alerts are coming from flow timeout handling. If this is the case, the .pkt_src field should be set in the alert to something that is not “wire/pcap” which could prevent the pcap storage (I need to check that).
Yes, you are right, I am playing PCAP.
But I think I didn’t quite understand your advice. should I change those alerts in order to get the “capture_file”?