On version 7 of Suricata, a great new feature is introduced for conditional PCAP log. I read the documentation and watched the explanation on youtube.
I learned that a conditional PCAP log uses streaming segments to “rewind” in time and reassemble the alert flow and then logs the reassembled packets. My questions:
How long such a flow can be in terms of size and time?
for example, if at the end of a really long flow (days or hours) I get one packet that causes an alert, Suricata can log all the flow?
Can I configure this property so I can handle the Suricata limit for flow logging (size/time)?
Tracking is done but main work aka detection and application layer is done following the stream.depth settings. It controls when Suricata stops inspecting data.
Conditional pcap is using regular Suricata pcap store so you can use option to tell it to stop writing to the pcap after the stream depth: