I am trying to find the original packet that triggered Suricata’s alert.
From the eve.json, I extracted the pcap_cnt and pcap_filename for the relevant alert.
When I open the relevant pcap_filename and search for the packet number (as described in the “pcap_cnt”), most of the time I’ll get a packet that makes sense it triggered the alert.
However, on TCP streams, it’s quite the opposite. the “pcap_cnt” is not referring to the packet which triggered the alert. Sometimes it seems, the “pcap_cnt” referees to the packet within the same stream as the packet triggered the alert.
Is there any option to log the original packet which triggered the alert?
Suricata - tested on version 6.0.9 and 7.0.0-beta
Suricata command - “suricata -r pcap.pcap -k none”