doc: add conditional pcap logging info

author Eric Leblond <eric@regit.org>

Sat, 6 Feb 2021 22:17:30 +0000 (23:17 +0100)

committer Victor Julien <vjulien@oisf.net>

Thu, 26 May 2022 10:45:15 +0000 (12:45 +0200)
author Eric Leblond <eric@regit.org>
Sat, 6 Feb 2021 22:17:30 +0000 (23:17 +0100)
committer Victor Julien <vjulien@oisf.net>
Thu, 26 May 2022 10:45:15 +0000 (12:45 +0200)
diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst

index 73a9de81868c4a3053bd61b8636c660d922ad238..7b675df346d3f4354bcb4c7c511152c06847684f 100644 (file)
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -471,6 +471,16 @@ By default all packets are logged except:
  - TCP streams beyond stream.reassembly.depth
  - encrypted streams after the key exchange
  
+It is possible to do conditional pcap logging by using the `conditional`
+option in the pcap-log section. By default the variable is set to `all`
+so all packet are logged. If the variable is set to `alerts` then only
+the flow with alerts will be logged. If the variable is set to `tag`
+then only packets tagged by signature using the `tag` keyword will
+be logged to the pcap file. Please note that if `alerts` or `tag` is
+used, then in the case of TCP session, Suricata will use available
+information from the streaming engine to log data that have triggered
+the alert.
+
  ::
  
    - pcap-log:
@@ -482,6 +492,7 @@ By default all packets are logged except:
  
        mode: sguil # "normal" (default) or sguil.
        sguil_base_dir: /nsm_data/
+      conditional: alerts
  
  Verbose Alerts Log (alert-debug.log)
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
author	Eric Leblond <eric@regit.org>
	Sat, 6 Feb 2021 22:17:30 +0000 (23:17 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Thu, 26 May 2022 10:45:15 +0000 (12:45 +0200)