Running 6.0.10 in sys mode through Parrot OS running Bookworm.
I am painfully new to Suricata (and IDS/IPS in general). My goal is to create two separate rules, one which monitors any incoming HTTP traffic, and one which monitors any outgoing. The first of my two rules, alert tcp any 80 -> any any (msg:"incoming HTTP traffic detected"; sid:10002;)
, appears to function fine and logs as intended. But the second, alert tcp any any -> any 80 (msg:"outgoing HTTP traffic detected"; sid:10003;)
refuses to log at all. I’ve tried declaring flow to no avail. Convinced I’m missing something painfully obvious.