Best way to analyze blocked packets
I've setup a suricata IPS currently in alert only mode to train it and disable rules that are not adapted to my network.
Now I've got fairly cleaned up the rules and now I got interesting rules arising.
I would like to analyze the packet that are detected as an issue.
For example I got some "ET POLICY HTTP Request to *.tk domain". Is there a way to log all these offending packet and analyze them with wireshark?
In the *.tk domain case, can I log all DNS request of firewall unbound DNS resolver and correlate them with my detection? Any idea where I could find these packet logs and activate it? Any idea where DNS can log the DNS requests?
Thanks for any idea or tutorials links :)