Sorry for the late reply. But with the way you’ve setup your configurations I don’t think it’s gonna work. Did you verify it’s actually working? I’d be very surprised if it did. I’m really curious. How many drop rules do you have? Do you have any ‘[Drop]’ (for packet drop action actually taken) and empty space in place where ‘[Drop]’ would have been (which represents alert action on the packet) in ‘/var/log/suricata/fast.log’ as in below, for example?
01/23/2025-10:54:09.963690 [Drop] [] [1:2402000:7257] ET DROP Dshield Block Listed Source group 1 [] [Classification: Misc Attack] [Priority: 2] {UDP} 178.215.238.246:9858 → :161
01/23/2025-11:04:41.373621 [] [1:2102049:5] GPL SQL ping attempt [] [Classification: Misc activity] [Priority: 3] {UDP} 146.88.241.66:43933 → :1434