Suricata

Hello,

I did install suricata(3.1.1) on Kali linux & enabled drop in suricata.yaml & added the following 2 rules to the end of drop.rules file:

alert icmp any any <> any any (msg:" Alert ICMP"; itype: 8;)
drop tcp any any <> any any (msg:"Alert TCP XMAS"; flags:FPU; classtype:misc-attack; sid:10000003; rev:1;)

-> then I did :
iptables -I INPUT -j NFQUEUE
iptables -I OUTPUT -j NFQUEUE
iptables -I FORWARD -j NFQUEUE

>then startet suricata in inline mode -> did ping from another VM to this one -> icmp Alert was logged in fast.log
>then did xMas-Scan in zenmap from another VM to this one -> tcp Drop was not logged in drop.log but I know packets were dropped, because:

"Verdict: Accepted 10, Dropped 10, Replaced 0"

I also did change the "drop" rule in drop.rules file to "alert tcp any any <> any any (msg:"Alert TCP XMAS";...)" and repeated the xMas-Scan
-> no tcp Alert logging in fast.log (also not in drop.log)

Why does'nt suricata log tcp-Drop or tcp-Alert in inline mode ? (In IDS mode everything gets logged)

Thanks in Advance