Suricata

Hello,
I am using the new feature “Conditional PCAP” on Suricata v.7.rc2 to log alert packets.
I run Suricata with pcap-log enabled and conditional set to alerts . My Suricata instance is used only to process PCAPs with pcap-file-continuous enabled.
After a few months of testing this feature, I encountered a disturbing problem. It seems that when I play PCAPs to Suricata with the pcap-file-continuous configuration enabled, Suricata fails to log the packets for some alerts.

Scenarios I tested:

• Run Suricata with the flag -r <path> → Play PCAPS → extract the packets from pcap-log based on eve.json (using GopherCap 2) → Works fine!
• Run Suricata with the flag -r <path> and --pcap-file-continuous → Play the same PCAPS → extract the packets from pcap-log based on eve.json (using GopherCap 2) → Failed to extract the packets for some of the alerts.
• Run Suricata with the flag -r <path> and --pcap-file-continuous → Play the same PCAPS → stopped Suricata → extract the packets from pcap-log based on eve.json (using GopherCap 2) → Works fine!

Here are my pcap-log settings:

enabled: yes
filename: pcap.%n.%t
limit: 20mb
max-files: 5
compression: none
mode: multi
dir: /var/log/suricata/pcap
use-stream-depth: no
honor-pass-rules: no
conditional: alerts

and my stream configuration:

memcap: 64mb
checksum-validation: yes
inline: auto
reassembly:
memcap: 256mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes

I can reproduce it easily by just adding one rule to suricata:

alert tcp any any -> any any (msg:"tcp"; classtype:policy-violation; sid:1; rev:1;)

And when I feed Suricata with a PCAP file containing a single TCP packet, I get an alert, but the packet is not written to the pcap log.

forum discussion - https://forum.suricata.io/t/conditional-pcap-log-fails-to-log-packets-for-some-alerts-when-using-pcap-file-continuous-flag/3459/6