Hello,
I am using the new feature Conditional PCAP on Suricata v.7 - I run Suricata with pcap-log enabled, conditional set to alerts.
Yesterday, I posted a question about the absence of the field capture_file for some alerts when pcap-log’s mode is set to multi.
However, today I encountered a more disturbing problem and I am not quite sure it’s related.
I found that the new feature Conditional PCAP on Suricata v.7 - does not log the packets for all the alerts.
I ran Suricata v.7.1 and played PCAP to it, Suricata raise several alerts but when I iterated over the eve.json and tried to extract the relevant packets with GopherCap as suggested here or simply tried to extract the relevant packets for the alert based on the four-tuple using BPF - I found the packets of some of the alerts does not exist at all.
I manage to reproduce this problem even when I set the pcap-log’s mode to regular or even if i changed stream.inline.
Here are my pcap-log settings:
enabled: yes
filename: pcap.%n.%t
limit: 20mb
max-files: 5
compression: none
mode: multi
dir: /var/log/suricata/pcap
use-stream-depth: no
honor-pass-rules: no
conditional: alerts
I saw this issue most of the time for these 2 signatures (ET open alerts):
alert dns any any → $HOME_NET any (msg:“ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111”; content:“|00 01 00 01|”; content:“|00 04 94 51 6f 6f|”; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:5; metadata:created_at 2013_02_15, former_category DNS, updated_at 2022_07_13;)
alert tls $EXTERNAL_NET any → $HOME_NET any (msg:“ET WEB_CLIENT Possible eDellRoot Rogue Root CA”; flow:established,to_client; tls.cert_issuer; content:“CN=eDellRoot”; fast_pattern; reference:url,arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/; classtype:trojan-activity; sid:2022134; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_24;)
Can anyone help me figure out whether this is bug or problem with my configuration?