Suricata drop/ Alerts to external Database

Hi All ,
I have few doubts if you can help it will be nice

  1. Many rules have action : alert , so is the traffic allowed by just alerting ? .
  2. If I want to send alert , drop this malicious traffic to a external database for further analysis how can I do that.


  1. If you are running Suricata in IDS mode, it will generate alerts based on rules, but won’t drop the traffic (if you want malicious traffic to be dropped, consider the IPS mode - but that depends on the network setup you have, to really work);
  2. If you want to capture the malicious traffic if certain alerts happen, the released Suricata versions don’t have that capability as of yet. But Conditional PCAP logging is one of the new features for Suricata 7, which should be released within a few months.

Mr Éric Leblond is the contributor for this addition. See his presentation during SuriCon2021:

Hi , Got it thanks .
Just to make sure section 13 in read the docs is sufficient for IPS setting ?

I’m not an expert in that regard, so can’t help there :stuck_out_tongue:

But if you encounter any issues, as you know, this forum is your friend ^^

1 Like