JSON entries have differents events. As Jason pointed out, events like:
- flow
- tls
- alert
- drop
- http
- dns
- stats
Can show more of what is happening.
Not all ips.blocked stats mean a rule was matched.
From the stats.log that you have shared, I’ve noticed a couple of things:
Suricata is seen midstream traffic, and is dropping associated flows:
exception_policy.tcp.midstream.drop_flow | Total | 14
There are also drops related to app layer errors:
exception_policy.app_layer.error.drop_flow | Total | 2034
This could lead to higher ips.blocked | Total | 5097
without necessarily these being connected to an alert that would show up in fast.log.
This post sheds some light on chasing issues related to exception policies: My traffic gets blocked after upgrading to Suricata 7
Do you have drop enabled for your EVE log? might help figure out what’s going on.
This isn’t perfect, but has a few commands for using jq with the EVE logs: JQ cheat sheet for parsing Suricata EVE outputs