Project

General

Profile

Actions

Bug #5189

open

Suricata alerts pcap issue

Added by Chatak Kumar 9 months ago. Updated 6 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
-
Affected Versions:
Effort:
Difficulty:
low
Label:
Beginner

Description

Hi , I wanted to test suricata alert pcap , So I found 2 requests in github and tested them
Both of them generates pcap .
But issue is that when we open pcap , header of packets is truncated . It is some random unrecognizable text
Info filed should contain something like GET /url , etc but it contain only src_port -> dest_port ACK ,etc

https://github.com/OISF/suricata/pull/5345/
https://github.com/OISF/suricata/pull/6766/

These requests are closed

Any other versions which I can try.


Related issues 1 (0 open1 closed)

Related to Feature #120: Capture full session on alertClosedScott JordanActions
Actions #1

Updated by Chatak Kumar 9 months ago

  • Assignee changed from Scott Jordan to Victor Julien

Hi , I wanted to test suricata alert pcap , So I found 2 requests in github and tested them
Both of them generates pcap . I tested by running suricata with a pcap to compare.
But issue is that when we open pcap , header of packets is truncated . It is some random unrecognizable text
Info filed should contain something like GET /url, etc but it contain only src_port -> dest_port , ACK ,etc

Packets Info is different from original pcap as compared with Alerts pcap

https://github.com/OISF/suricata/pull/5345/
https://github.com/OISF/suricata/pull/6766/

These requests are closed

Any other versions which I can try.

Actions #2

Updated by Jason Ish 9 months ago

  • Related to Feature #120: Capture full session on alert added
Actions #3

Updated by Jason Ish 9 months ago

The latest version of this features is in this pull request: https://github.com/OISF/suricata/pull/6941

As this is a feature under development I'd recommend commenting on the ticket for that feature: #120.

Actions #4

Updated by Chatak Kumar 9 months ago

I have tried this v2.2.13 also It has same issue.
will be adding this comment under #120 also

Actions #5

Updated by Victor Julien 6 months ago

  • Status changed from New to Feedback
  • Assignee changed from Victor Julien to Chatak Kumar
  • Target version deleted (7.0.0-beta1)

#120 is now closed as conditional pcap logging is now implemented in master. Please give that a try to see if it works for you. Thanks!

Actions

Also available in: Atom PDF