[Oisf-users] Suricata not logging drops

[Michael J. Sheldon]

I'm going absolutely crazy on this one.
Suricata version is 3.1.2

We have suricata running in IPS mode, and it's working just fine.

I have this rule:
drop dns any any -> any 53 (msg:"Config zone filter"; dns_query; content:"zone.test"; nocase; sid:3200017;)

And it works, a query for that zone is dropped.

However, I cannot get suricata to log it as a drop via eve or in the drop log. I get absolutely nothing. The closest I get is to enable alert logging in eve, which does log it as an alert, with action "allowed"

  - eve-log:
      enabled: yes
      type: redis #file|syslog|unix_dgram|unix_stream
      redis:
          server: 127.0.0.1
          port: 6379
          mode: list ##list|channel
          key: suricata ##key or channel
      types:
        - alert
        - drop

I have also tried it with:
        - drop:
            alerts: yes
            flows: all

Identical results when eve is logged to file instead of redis

{"timestamp":"2016-09-30T22:56:39.998408+0000","flow_id":2034018894167048,"event_type":"alert","src_ip":"10.0.0.102","src_port":48344,"dest_ip":"10.0.0.101","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":3200017,"rev":0,"signature":"Config zone filter","category":"","severity":3}}

If I turn alert logging off, I get nothing.

Likewise, If I turn drop logging off in eve, and enable the regular drop log, I get nothing.

What the heck am I missing?

Michael Sheldon
Dev-DNS Services
GoDaddy.com