Conditional PCAP Logging with tag may lead to duplicated packets in certain cases

Help
1

Hello,

I’m encountering an issue with the “conditional pcap-log” feature in Suricata, where it may log duplicated packets with biased offsets under specific conditions.

Below are the configuration and the PCAP file used with suricata-verify to replicate the issue and illustrate the expected logged PCAP.

input.pcap (2.3 KB)
suricata.yaml

%YAML 1.1
---

pcap-file:
    checksum-checks: no

outputs:
  - pcap-log:
      enabled: yes
      filename: log.pcap
      limit: 10mb
      max-files: 20
      compression: none
      mode: normal
      use-stream-depth: no
      honor-pass-rules: no
      conditional: tag

test.rules

alert tcp any any -> any any (msg:"POP3 AUTH";content:"USER ";nocase;offset:0;depth:5;tag:session,20,packets;noalert;sid:100000001;)

test.yaml

requires:
  min-version: 7.0.0

checks:
  - shell:
      args: test -e log.pcap.1030296065 &&
        [ "$(stat -c %s log.pcap.1030296065)" -eq 1874 ]

The problem appears when the noalert option is removed from the rules. In this case, the first packet is logged twice with a biased offset.

Has anyone else faced this issue? Any advice or insights on how to resolve this would be greatly appreciated!

Thank you!

2

Could you also add the run command that you used for suricata and suricata --build-info so we can make sure to replicate the potential bug as close as possible?

3

Sorry about the oversight. Considering that suricata-verify is used, the corresponding command would be suricata -r input.pcap -s test.rules -c suricata.yaml with provided files.

Allow me to add a bit more, the test I provided (without noalert keyword) only produce PCAP having duplicate packets containing “user”. Additional payload discrepancies may occur in certain environments (such as those involving VLAN).

And here’s the suricata --build-info:

This is Suricata version 7.0.10 RELEASE
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64 
SIMD support: SSE_2 
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 12.2.0, C version 201112
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.50, linked against LibHTP v0.5.50

Suricata Configuration:
  AF_PACKET support:                       yes
  AF_XDP support:                          no
  DPDK support:                            no
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  GeoIP2 support:                          no
  JA3 support:                             yes
  JA4 support:                             yes
  Non-bundled htp:                         no
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes
  Landlock support:                        yes

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/local/cargo/bin/rustc
  Rust compiler version:                   rustc 1.82.0 (f6e511eec 2024-10-15)
  Cargo path:                              /usr/local/cargo/bin/cargo
  Cargo version:                           cargo 1.82.0 (8f40fc59f 2024-08-21)

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 no, not bundled

  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Profiling rules enabled:                 no

  Plugin support (experimental):           yes
  DPDK Bond PMD:                           no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Fuzz targets enabled:                    no

Generic build parameters:
  Installation prefix:                     
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -fPIC -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS