Conditional pcap-log max flow size/length

1

Hi there,

On version 7 of Suricata, a great new feature is introduced for conditional PCAP log. I read the documentation and watched the explanation on youtube.

I learned that a conditional PCAP log uses streaming segments to “rewind” in time and reassemble the alert flow and then logs the reassembled packets. My questions:

  • How long such a flow can be in terms of size and time?
    for example, if at the end of a really long flow (days or hours) I get one packet that causes an alert, Suricata can log all the flow?
  • Can I configure this property so I can handle the Suricata limit for flow logging (size/time)?

Thanks a lot!

2

Yes, flow timeout can be configured in the config - suricata/suricata.yaml.in at master · OISF/suricata · GitHub

3

Thank you!
This configuration control when the flow is timed out but if the flow is alive for days? Do we still keep tracking it?

4

Tracking is done but main work aka detection and application layer is done following the stream.depth settings. It controls when Suricata stops inspecting data.

Conditional pcap is using regular Suricata pcap store so you can use option to tell it to stop writing to the pcap after the stream depth:

 - pcap-log:
    use-stream-depth: yes
5

Great thank you! and the way I control the depth is on reassembly?
https://suricata.readthedocs.io/en/suricata-7.0.0-rc1/configuration/suricata-yaml.html?highlight=stream-depth#stream-engine

Or this setting only controls TCP?

6

Yes, only TCP, this does not apply to UDP.

7

Thank you again!
So, how can I control the UDP stream depth?