Hello,
I am using the new feature Conditional PCAP on Suricata v.7.
When I run Suricata with pcap-log
enabled, conditional set to alerts
and mode set to multi
- Suricata indeed logs the alerts to PCAP file but some of the alerts are logged to eve.json
without the capture_file
field.
This is a problem because I use the capture_file
field to determine which PCAP file the alerts were logged to so that I can extract the relevant packets for the alerts (As suggested here - video
Here’s my pcap-log
settings:
enabled: yes
filename: pcap.%n.%t
limit: 20mb
max-files: 5
compression: none
mode: multi
dir: /var/log/suricata/pcap
use-stream-depth: no
honor-pass-rules: no
conditional: alerts
Hello,
Do you see this behavior on specific signatures ?
1 Like
Hmm, I can’t say much about that.
I know that for the PCAPs I played to it, I got the problem on these 2 signatures:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)\"; flow:to_server,established; http.user_agent; content:\"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine\"; nocase; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:exploit-kit; sid:2009358; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
alert http $HOME_NET any -> any any (msg:\"ET SCAN Possible Nmap User-Agent Observed\"; flow:to_server,established; http.user_agent; content:\"|20|Nmap\"; fast_pattern; classtype:exploit-kit; sid:2024364; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2017_06_08, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Informational, updated_at 2020_08_06;)
However, I got those signatures to raise 58 alerts but just 8 of them came without capture_file
.
So you are replaying a pcap file ? In this case, there is a possibility that the alerts are coming from flow timeout handling. If this is the case, the .pkt_src field should be set in the alert to something that is not “wire/pcap” which could prevent the pcap storage (I need to check that).
1 Like
Yes, you are right, I am playing PCAP.
But I think I didn’t quite understand your advice. should I change those alerts in order to get the “capture_file”?