How the alerts are logged

need some assistance with Suricata and how the alerts are being logged. We have not made any changes to the Suricata configuration regarding rules except that we added a third-party rule set in addition to the default rules. The Suricata is configured to log to eve.json. We are using a splunk forwarder to forward the logs from eve.json to splunk.

We have noticed that all the alerting only seems to come from a single category (see below). How do we enable other categories?

“category”:“Generic Protocol Command Decode”,“severity”:3

Also, it seems like all the alerts that have been logged have the action of “allowed”. How do we enable other actions to be logged?

“alert”:{“action”:“allowed”}

Thanks

The category part of the event is from the associated rule and its classtype. The classtype points to a classification defined in the classification.config file that is referenced in the suricata.yaml.

The action in the event is determined by the action set for the rule. So if the rules action is alert then you will see allowed, if the rules action is reject then you would see blocked.

What is the proper configuration for providing a list of rules and ensuring that any rule in any category will be matched and alert on?
Keeping in mind as you we are troubleshooting that the rules file given to us by the analysts cannot be shared with anyone. These are Alienvault’s proprietary rules

Just put the filenames in the suricata configuration.
All enabled (uncommented) rules will be alerted on by default.

https://suricata.readthedocs.io/en/suricata-6.0.1/configuration/suricata-yaml.html#rule-files