Hi there,
to enable logging of blocked packets and to see which alerts are leading to packets being blocked, you can:
- enable drop events (17.1.1. Eve JSON Output — Suricata 8.0.0-dev documentation)
- enable the
verdictfield in the alert events (about the verdict field: 17.1.2. Eve JSON Format — Suricata 8.0.0-dev documentation)
Depending on the version you’re running, it may also be worth checking what’s the configuration for your exception policies (My traffic gets blocked after upgrading to Suricata 7).
Aside from those notes, alerts and blocks will always require some refining when you install a network monitoring tool in a new environment, to understand what alerts and blocks make sense based on the traffic, and which don’t…
I hope that helps!