Project

General

Profile

Actions

Bug #6915

open

How to write the filepath to the alert log when using default mode with pcap-log?

Added by Roaming White 9 months ago. Updated 6 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello Teams,When I set the mode to default mode in the pcap-log of suricata, my alert log will not record the capture_file, how should I tweak the configuration to bring out the capture_file in the alert log?

  - pcap-log:
      enabled: yes
      filename: log-%n-%t.pcap

      # File size limit.  Can be specified in kb, mb, gb.  Just a number
      # is parsed as bytes.
      limit: 4mb

      # If set to a value, ring buffer mode is enabled. Will keep maximum of
      # "max-files" of size "limit" 
      max-files: 2500

      # Compression algorithm for pcap files. Possible values: none, lz4.
      # Enabling compression is incompatible with the sguil mode. Note also
      # that on Windows, enabling compression will *increase* disk I/O.
      compression: none

      # Further options for lz4 compression. The compression level can be set
      # to a value between 0 and 16, where higher values result in higher
      # compression.
      #lz4-checksum: no
      #lz4-level: 0

      mode: normal # normal, multi or sguil.

      # Directory to place pcap files. If not provided the default log
      # directory will be used. Required for "sguil" mode.
      dir: /var/log/suricata/

      #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
      use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
      honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
      conditional: alerts
Actions #1

Updated by Philippe Antoine 6 months ago

  • Tracker changed from Support to Bug
  • Status changed from New to Feedback
  • Target version set to TBD

For support questions, forum.suricata.io is now the better place.

For your question, do you expect a `capture_file` field in your eve.json alert events ?
I think capture_file is meant when you read multiple pcaps (see pcap-file in suricata.yaml eve output), not when you are recording live traffic into pcaps
Would you be able to create a suricata-verify test with what you expect ?

Actions

Also available in: Atom PDF