[SOLVED] suricata 7 conditional pcap just log the packet that triggers the specific rule, not the all tcp flow packets?

suricata 7 conditional pcap just log the packet that triggers the specific rule, not the all tcp flow packets?

everyone: I have some questions about the Suricata 7 conditional pcap: 1). with alerts mode, I found that suricata just logged the packet that triggered some specific rules, not the all packets that belongs to one tcp flow, here is the problem, I want the complete flow packets, not just the packet that triggers the rules; 2). with tag mode, I added a tag to my custome rules, when I restarted the suricata engine, it outputed an error something like grammatical error, anyone met the same problem ?

anyone can help or just explain ?

Solution

I'll try to answer your questions to my best:

do you mean that, with pcap-log: enabled, conditions: alerts, you're only seeing the triggering packet? This is not the expected behavior, and could be a bug. If you confirm it is a bug, would be great if you could report it to the redmine tracker, so it can be investigated;
can you edit your question to include the error message? If it was related to the rule itself, you could try using Stamus Networks' Suricata Language Server - https://github.com/StamusNetworks/suricata-language-server to get more insight into what could be wrong with it. If not, more details into the rule you wrote and the error message it triggered would be needed.

As an additional note, we recommend using our forum (https://forum.suricata.io/) for such questions, as it's easier for someone from the Suricata team (or the community) to see questions there here, and it has a more fluid way when it comes to following up on questions ;)