is there a way to trigger a Full Packet Capture when a specific alert is triggered?
I am ingesting Suricata logs in Splunk and I use Splunk Stream app to achieve it, but I wonder if it is already an embedded suricata feature that I missed.
It would be ideal to have a small pcap starting from the packet that triggered the rule.
currently there is only full pcap without correlation to alerts, but there is work done on conditional logging to generate alert specific pcaps. This will still have some limitiations. See the talk from Eric at SuriCon 2021 SuriCon 2021 | Boston/Virtual – SURICON Conditional PCAP