[Oisf-users] suri logging all the packets for the session

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If I remember correctly, the packet logging is a 'best effort' by
suricata to write the packets that triggered the alert.

In the example you gave it's using the SMTP protocol detection feature
of suricata, so it may be that by the time the flow has been tagged and
the alert generated some of the packets may have already been flushed.
Note that this is a content rule that occurs anywhere in the message
body; rules that trigger on the first few packets of a flow seem to do a
better job at logging the right packets.

If you really want full packet capture, either use the pcap logging
feature or setup a FPC (full-packet capture) solution.

- -Coop

On 11/20/2014 12:52 PM, Russell Fulton wrote:
> Can someone please confirm whether or not this is expected
> behaviour.
> 
> I have found an some examples today where multiple packets were
> logged but I could not find the patterns that triggered the alerts in
> the logged packets.  THe packets logged were the last X of the
> session
> 
> If this is not expected behaviour then does anyone have any
> suggestions for diagnosing what is going on.
> 
> Russell
> 
> On 19/11/2014, at 2:41 pm, Russell Fulton <r.fulton at auckland.ac.nz>
> wrote:

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUblq0AAoJEKIFRYQsa8FWEEcH/3nJMGRy7M+EbFwexHPZZjME
0nKQHuF0pLfN13pb0u/5JYJRsP/A7K72ltPL7AuFNMLiBu1lxe5iJtECq2aTgszp
JQhaVj++9v/LpNffPkYMO6BwMe+oEYP3MaACird5P3ZQLfpGCLfAe2+Adq4DbdbV
z8qzjrU6W2jTEcMfogmvJXun85aV3Ps557PwrfMXh94wyUEPhA6+sR/z4OYgg/FI
6HDU93UWCpQ6PfadiIDjLHUosTlu9rasc76E1laWdW3Vh75Z+DB0CF/4KrKHYCCi
QTlTdQqBdwiDWyJ6eJKfjcB+ycpYuPCfd+D/GEwG3p/51HdK78hL9mDnMp6dwHM=
=6BJI
-----END PGP SIGNATURE-----