Pcap retention

[caplam]

Version

2.4.150

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

6

RAM

24G

Storage for /

278G

Storage for /nsm

568G

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello,

I installed SO 2.4.150 in a vm on an unraid server for learning purposes.
I'm looking for advices to configure pcap retention.
For now i only have 2.3 days of retention.
As it has been installed recently suricata is used for pcap.
The folder suripcap holds 2 folders "1" & "2"
Each of these 2 folders has 70 files of 1G.
If I have correctly understood the docs i should reduce the file size in configuration/suricata/pcap/filesize
What is a good value for this field ?
What is weird is that before i had another SO instance installed in the same way but in version 2.4.120 and the /nsm partition was smaller but pcap retention was around 3 weeks.
I suppose a pcap file holds a 1 session traffic and as most of the traffic is encrypted it's not so relevant to capture up to 1G.

df -h /nsm Filesystem Size Used Avail Use% Mounted on /dev/mapper/system-nsm 530G 189G 341G 36% /nsm

[fred@seconion 2]$ sudo du -h --max-depth=1 /nsm [sudo] password for fred: 7.7G /nsm/docker-registry 3.6G /nsm/repo 3.0G /nsm/elastic-fleet 3.4M /nsm/kratos 116M /nsm/rules 546M /nsm/influxdb 7.2G /nsm/backup 60K /nsm/soc 0 /nsm/pcap 0 /nsm/import 0 /nsm/pcapout 134G /nsm/suripcap 29G /nsm/elasticsearch 4.0K /nsm/logstash 4.0K /nsm/redis 26M /nsm/suricata 486M /nsm/zeek 25M /nsm/strelka 0 /nsm/custom-mappings 2.7M /nsm/securityonion-resources 185G /nsm

traffic on monitor interface is around 5Mb/s with spikes to 100Mb/s
capture loss is around 7%.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[caplam]

In case it helps someone else.
File size doesn't help as pcap file holds several streams.
The parameter to change seems to be
suricata > pcap > use-stream-depth [adv]. ==> from no (default) to yes
suricata > config > stream > reassembly > depth (1mb by default)

By default the whole stream is recorded.
I'll see is pcap retention is improved with that setting.

[caplam]

it didn't changed anything.
I still have 2 folders ( "1" & "2" ) in /nsm/suripcap which is 134G

[fred@seconion nsm]$ sudo du -h -d 1
[sudo] password for fred:
7.7G ./docker-registry
3.5G ./repo
3.0G ./elastic-fleet
12M ./kratos
117M ./rules
1.1G ./influxdb
7.3G ./backup
60K ./soc
0 ./pcap
0 ./import
0 ./pcapout
134G ./suripcap
113G ./elasticsearch
4.0K ./logstash
4.0K ./redis
106M ./suricata
1.3G ./zeek
26M ./strelka
0 ./custom-mappings
2.7M ./securityonion-resources
271G .

/nsm is 568G
Grid indicates 2.5 days pcap retention