Hello, I’m using Suricata 7.0.6 and pcap capture along with the conditional option set to alerts.
Is there any way to log the full flow that eventually lead to an alert (additionally to the alerting packets and remaining data) ?
It is my understanding that Suricata, with conditional set to alerts, only log packets including and after the alert takes place. Would it be possible (with a combination of suricata rules, for example) to capture the full TCP/HTTP session of an alert?
I’ve tried the following, which won’t work because “flowbits:noalert;” (or “noalert;”) is set, but was hopping the pcap capture module won’t honor it 
(maybe a new or different combination of flowbits flags could be used for this).
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Incoming TCP Connection (SYN)"; tcp.flags:S; flowbits:set,incoming_tcp; flowbits:noalert; sid:1;)
# Same result as above
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Incoming TCP Connection (SYN)"; tcp.flags:S; flowbits:set,incoming_tcp; noalert; sid:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Request"; flowbits:isset,incoming_tcp; content:"/"; http_uri; flowbits:unset,incoming_tcp; sid:2;)