Suricata inline IPS on Windows with WinDivert help

Hi there

After 2 days of brain strain I thought I finally got Suricata with Windivert running on a Windows Server.

In EveBox though, I’m seeing DROP rules are showing action as ALLOWED although it is as a drop rule.

Changed IP’s for demonstration purposes.

The rule:

drop ip [] any -> any any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:6025; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2021_09_06;)

The JSON output when triggered:

  "_id": 88590,
  "_source": {
    "alert": {
      "action": "allowed",
      "category": "Misc Attack",
      "gid": 1,
      "metadata": {
        "affected_product": [
        "attack_target": [
        "created_at": [
        "deployment": [
        "signature_severity": [
        "tag": [
        "updated_at": [
      "rev": 6025,
      "severity": 2,
      "signature": "ET DROP Dshield Block Listed Source group 1",
      "signature_id": 2402000
    "dest_ip": "",
    "dest_port": 33911,
    "evebox": {
      "filename": "C:\\Program Files\\Suricata\\log\\eve.json"
    "event_type": "alert",
    "flow": {
      "bytes_toclient": 0,
      "bytes_toserver": 40,
      "pkts_toclient": 0,
      "pkts_toserver": 1,
      "start": "2021-09-07T13:51:44.037483+0000"
    "flow_id": 399008609636971,
    "metadata": {
      "flowbits": [
    "proto": "TCP",
    "src_ip": "",
    "src_port": 50460,
    "tags": [],
    "timestamp": "2021-09-07T13:51:44.037483+0000"

Starting Suricata with this command:

"C:\Program Files\Suricata\suricata.exe" -c "C:\Program Files\Suricata\suricata.yaml" --windivert true


Try this command line and this rule

suricata -c suricata.yaml -vv --windivert tcp -knone -l ./log

Rules drop example:

drop tcp any any -> any any (msg: "Google"; content: "google"; classtype: misc-activity; sid: 393981460; rev: 1;)
drop ip [,,] any -> any any (msg:"Sitio Bloqueado "; threshold: type limit, track by_src, seconds 3600, count 1; classtype: misc-activity; sid: 393981461; rev: 1;)

Hi there
Evebox still shows action as “allowed” in the JSON output although the drop is being enforced by windivert


In suricata.yaml ?

- drop:
     alerts: yes      # log alerts that caused drops


Thank you for your help, much appreciated.

I checked and that was hashed out. I unhashed it now and restarted Suricata.

But i’m still not seeing any drop events in the log though… Just an “alert” with “action:allowed”…