Filtering pcap logs

Please include the following information with your help request:

  • Suricata version 7.0.8
  • Ubuntu 24.04.1 LTS
  • Suricata installed from source

Hi all,

I am trying to log HTTP/1.0 and HTTP/1.1 traffic separately using Suricata, but I am encountering some issues. I’ve written custom Suricata rules to detect and log HTTP/1.0 and HTTP/1.1 traffic separately. Below are the rules I created:

HTTP 1, 2 : 1000-1099

request

#alert http any any <> any any (msg: “HTTP istegi gecti”; flow: established, to_server; flowbits: set, gecsin; tag: session; sid: 1000;)
alert http any any → any any (msg:“HTTP/1.1 Traffic”; content:“HTTP/1.1”; flow:established,to_server; flowbits: set,gecsin;tag:session; sid:1002;)
alert http any any → any any (msg:“HTTP/1.0 Traffic”; content:“HTTP/1.0”; flow:established,to_server; flowbits: set,gecsin;tag:session; sid:1003;)

response

alert http any any → any any (msg: “HTTP cevabi gecti”; flow: established, to_client; flowbits: set, gecsin; sid: 1050;)

pass ip any any → any any (msg: “TANIMLI TRAFIK GECTI”; flowbits: isset, gecsin; flowbits: noalert; sid: 9999980;)
drop ip any any → any any (msg: “TANIMSIZ TRAFIK ENGELLENDI”; flowbits: isnotset, gecsin; sid: 9999999;)

I configured Suricata to log the captured traffic into PCAP files and use the tag feature to separate HTTP/1.0 and HTTP/1.1 traffic. My intention was to log the traffic separately, ideally saving each HTTP version’s traffic into different files or directories.

I try to curl with -0 and default so to create two seperate pcap files but for example when i curl -0 it creates pcap but it does not create another for http/1.1 . This situation is same for other way around aswell. So my question is that how can i create seperate pcap files looking into content.

Thanks

There is currently no support for routing packets into separate pcap files based on rules. What you can do is extract the traffic from the logged pcap based on the ip addresses and ports from the alerts.

1 Like

Thank you for the asistance.