Packet logging enabled, 2 hits and more then a million packets logged


This rule is enabled both on the inside network as the border side (internet):

alert udp $HOME_NET any → any any (msg:“ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (Outbound) (CVE-2021-44228)”; content:“|24 7b|”; content:“|24 7b 3a 3a|”; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034805; rev:3; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, confidence Low, signature_severity Major, tag Exploit, updated_at 2023_06_05;)

Yesterday there where 2 hits: one on the inside ip and one on the nat ip adress causing million of packets to be logged so taking a big amount of file storage (the complete stream for both?)


  • pcap-log:
    enabled: yes
    filename: log.pcap
    limit: 1000mb
    max-files: 2000
    compression: lz4
    #lz4-checksum: no
    lz4-level: 4
    mode: normal
    use-stream-depth: yes
    honor-pass-rules: yes
    conditional: alerts

Is this expected behaviour according to our config, or something I need to correct in the suricata config?


What version are you using?

Post the suricata.yaml, stats.log, suricata.log and the actual run command of Suricata.

So the pcap that got created is the one referenced in the alert event?

8.0.0-dev (07ec8b202 2024-02-24)

log files allready have rotated, sorry. Relevant part of suricata.yaml already posted. If you need more, please via email or such seen the possible sensitive production config.

No there is no capture_file mentioned this time so had to look it up by dest and src ip related to time.