I would like to know the packet (not stream) at the time the alert was raised, which is difficult to do in 6.0.
I would like to take advantage of the ability to save a PCAP when an ALERT occurs, which was added in 7.0.
Is there any way to associate the alert with the log.pcap?
I tried to use the time when the alert occurred and the timestamp provided by log.pcap.{timestamp}, but the difference in time makes it difficult to connect them accurately.
Hi,
I’m facing the same issue myself. Did you find a solution?
In my opinion, Suricata’s detection logic is rule-dependent. If a flow-based rule is triggered, the alert likely doesn’t correspond to the current packet being processed, making it difficult to capture the exact timing. (This is just my personal observation.)
I dont think you can get that data just from alert events (if we talk about eve logs)
But you can get them from alert-debug.log
TCP SEQ: 2930015708
TCP ACK: 1531036373
corresponding wireshark filters
tcp.seq_raw == 2930015708
tcp.ack_raw == 1531036373