Hello, more and more scenarios require that you be able to download the original pcap package when an alarm is triggered, especially the full flow of triggering alarm events can be indexed through the alarm event. Does the subsequent version consider this? Thank you!
No, since it’s not that easy, see Documentation #2219: Save pcap only if alert - Suricata - Open Information Security Foundation and Feature #120: Capture full session on alert - Suricata - Open Information Security Foundation
have you solved it? I’m the same as you.