Imported PCAP pivoting from Alert to PCAP not working.

[mtbhi]

Version

2.4.120

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

64

Storage for /

82GB

Storage for /nsm

157GB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I'm running Security Onion in a VM in ESXi. I've uploaded several PCAPs from malware-traffic-analysis, all the Zeek and Suricata logs are appearing in SOC. When I try to pivot from any alert to the PCAP dashboard it says "No search results were found." If I pivot from any alert that has been generated from real-time traffic (I'm monitoring several other VMs in the lab) it works as expected. Therefore the problem only exists with imported PCAPs.

I installed a second Security Onion VM from scratch and have run into the same problem.

It may or may not be related, but before the 2.4.120 update when I was uploading the PCAPs from malware-traffic-analysis nothing was appearing in the alerts dashboard, despite Suricata logs showing that the alerts were working, however the Zeek logs were appearing as expected. I never found a solution to it but then the update fixed it so I moved on.

Any help would be greatly appreciated.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

Importing a PCAP and pivoting from Alert to PCAP seems to be working fine for me on 2.4.120:
https://blog.securityonion.net/2025/02/quick-malware-analysis-smartapesg.html

That blog post was done using a VM in IMPORT mode but I just verified that I can import the same PCAP in EVAL or STANDALONE mode and they are working as expected.

Here are some things you can try:

• check logs in /opt/so/log/ for additional clues
• check disk space to make sure there is free space available
• check time zone and make sure it is set to UTC
• check system clock and make sure it accurate
• try importing the PCAP used in the blog post above and see if that makes any difference
• try installing a new VM in IMPORT mode as shown at https://docs.securityonion.net/en/2.4/first-time-users.html and see if that works