Suricata No PCAP

[argwfm]

Version

2.4.211

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

256

Storage for /nsm

512

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

We set pcapengine to TRANSISTION ahead of upgrading to SOv3 (still on SOv2.4.211), but PCAP is no longer being written to disk. PCAP via Steno was functional before this switch. No errors in logs, but /nsm/suricata/suripcap directories are all showing zero bytes and PCAP searching from SOC returns no results. BPF exists for Suricata and PCAP with no conflicts that would account. Our understanding is the BPF is applied s/t Steno BFP filters first, then PCAP BPF for the balance. Grid shows 2d of PCAP retention which matches with when we switched to TRANSITION, but again nothing on disk. Forward nodes all reflect TRANSITION and BPF is rendering as expected. Any ideas what could be going on here? Thanks!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[argwfm]

Reviewing /opt/so/conf/suricata/suricata.yaml on the forward nodes, seeing the below BPF config... thinking this is related and working to remove via the manager, which interestingly enough has a completely different BPF configured for PCAP.

- pcap-log:
    enabled: 'yes'
    bpf-filter: ip and host 255.255.255.1 and port 1

[TOoSmOotH]

Did you apply the hotfix?

[argwfm]

Nope, that'd do it. Switching from TRANSITION to SURICATA also solved it. Thanks much!