Hello,
I am using the new feature “Conditional PCAP” on Suricata v.7.rc1 to log alert packets.
I run Suricata with pcap-log
enabled and conditional
set to alerts
. My Suricata instance is used only to process PCAPs with pcap-file-continuous
enabled.
After a few months of testing this feature, I encountered a disturbing problem. It seems that when I play PCAPs to Suricata with the pcap-file-continuous
configuration enabled, Suricata fails to log the packets for some alerts.
Scenarios I tested:
- Run Suricata with the flag
-r <path>
→ Play PCAPS → extract the packets frompcap-log
based oneve.json
(using GopherCap) → Works fine! - Run Suricata with the flag
-r <path>
and--pcap-file-continuous
→ Play the same PCAPS → extract the packets frompcap-log
based oneve.json
(using GopherCap) → Failed to extract the packets for some of the alerts. - Run Suricata with the flag
-r <path>
and--pcap-file-continuous
→ Play the same PCAPS → stopped Suricata → extract the packets frompcap-log
based oneve.json
(using GopherCap) → Works fine!
Here are my pcap-log
settings:
enabled: yes
filename: pcap.%n.%t
limit: 20mb
max-files: 5
compression: none
mode: multi
dir: /var/log/suricata/pcap
use-stream-depth: no
honor-pass-rules: no
conditional: alerts
and my stream
configuration:
memcap: 64mb
checksum-validation: yes
inline: auto
reassembly:
memcap: 256mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
Here is an example of signatures that Suricata usually fails to log packets for (given the PCAPs I played):
alert dns any any → $HOME_NET any (msg:“ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111”; content:“|00 01 00 01|”; content:“|00 04 94 51 6f 6f|”; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:5; metadata:created_at 2013_02_15, former_category DNS, updated_at 2022_07_13;)
alert tls $EXTERNAL_NET any → $HOME_NET any (msg:“ET WEB_CLIENT Possible eDellRoot Rogue Root CA”; flow:established,to_client; tls.cert_issuer; content:“CN=eDellRoot”; fast_pattern; reference:url,Dell does a Superfish, ships PCs with easily cloneable root certificates | Ars Technica; classtype:trojan-activity; sid:2022134; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_24;)
Please, Can anyone help me figure out whether this is a bug or this is just a configuration issue?
Thank you in advance!