Suricata 7.0.9 not generating alerts despite rules loaded and visible traffic

Hi everyone,

I’m experiencing an issue with Suricata 7.0.9 running in IDS mode using af-packet on Debian. The installation appears to work fine, and the service is active. I’ve verified the following:

• The configuration loads correctly (suricata -T returns no errors).
• Over 34,000 rules are successfully loaded from multiple .rules files.
• The eve.json log file is created and regularly updated.
• I’m monitoring interface enp1s0, which shows traffic in tcpdump.
• Only test ICMP alerts and a single GPL SNMP public access alert are being generated.
• The eve.json file contains dns and flow events but almost no actual alerts.
• Even after scanning the system with nmap, very few alerts are triggered.
• Wazuh integration is working, and I can see alerts that are present in eve.json.

Things I have tried:

• Verified that the rules are uncommented and active.
• Tested using different rule files.
• Changed cluster-id in af-packet to avoid conflicts.
• Confirmed that suricata.yaml points to the correct rules path.

Has anyone faced a similar issue? What else should I check to ensure Suricata is properly processing rules and generating expected alerts?

Any help would be greatly appreciated!

Please add:

• suricata.yaml
• suricata.log
• stats.log
• suricata --build-info
• the full run command that you use for Suricata

stats.log (6.4 MB)
suricata.yaml (85.1 KB)
suricata.log (168.5 KB)
suricata --build-info.log (2.6 KB)

Based on the stats.log it looks like there is not much traffic forwarded and mostly UDP traffic. Which specific signature do you expect to trigger on that traffic?
Could you ideally attach a pcap example that does not trigger but you would expect to do?