- Suricata version: 7.0.8
- Operating system: Ubuntu 20.04.6 LTS
- How to installed Suricata: packages
When Suricata is configured with pcap-log to save packets that trigger alerts, only the HTTP request packet is recorded immediately. The corresponding response packet, however, will only be written into the saved pcap file when a subsequent alert occurs in that flow. How can this be resolved?
My Configuration:
- pcap-log:
enabled: yes
filename: pcaps/log-%t-%n.pcap
limit: 10mb
max-files: 100
compression: none
mode: multi
use-stream-depth: no
honor-pass-rules: no
conditional: alerts
When an alert is triggered, only the request packet is captured—there is no corresponding response packet.
The response packet from the previous alert is only written into the pcap file when another alert is triggered.
My use case requires extracting the pcap traffic for each alert individually. However, the issue described above prevents me from doing so. I sincerely hope someone can help me resolve this.