I am using the new feature Conditional PCAP on Suricata v.7 - I run Suricata with
pcap-log enabled, conditional set to
Yesterday, I posted a question about the absence of the field
capture_file for some alerts when
mode is set to
However, today I encountered a more disturbing problem and I am not quite sure it’s related.
I found that the new feature
Conditional PCAP on Suricata v.7 - does not log the packets for all the alerts.
I ran Suricata v.7.1 and played PCAP to it, Suricata raise several alerts but when I iterated over the
eve.json and tried to extract the relevant packets with
GopherCap as suggested here or simply tried to extract the relevant packets for the alert based on the four-tuple using BPF - I found the packets of some of the alerts does not exist at all.
I manage to reproduce this problem even when I set the
regular or even if i changed
Here are my
I saw this issue most of the time for these 2 signatures (ET open alerts):
alert dns any any → $HOME_NET any (msg:“ET DNS Reply Sinkhole - sinkhole.cert.pl 18.104.22.168”; content:“|00 01 00 01|”; content:“|00 04 94 51 6f 6f|”; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:5; metadata:created_at 2013_02_15, former_category DNS, updated_at 2022_07_13;)
alert tls $EXTERNAL_NET any → $HOME_NET any (msg:“ET WEB_CLIENT Possible eDellRoot Rogue Root CA”; flow:established,to_client; tls.cert_issuer; content:“CN=eDellRoot”; fast_pattern; reference:url,Dell does a Superfish, ships PCs with easily cloneable root certificates | Ars Technica; classtype:trojan-activity; sid:2022134; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_24;)
Can anyone help me figure out whether this is bug or problem with my configuration?