Best way to analyze blocked packets

  • Hello,
    I've setup a suricata IPS currently in alert only mode to train it and disable rules that are not adapted to my network.
    Now I've got fairly cleaned up the rules and now I got interesting rules arising.
    I would like to analyze the packet that are detected as an issue.
    For example I got some "ET POLICY HTTP Request to *.tk domain". Is there a way to log all these offending packet and analyze them with wireshark?
    In the *.tk domain case, can I log all DNS request of firewall unbound DNS resolver and correlate them with my detection? Any idea where I could find these packet logs and activate it? Any idea where DNS can log the DNS requests?

    Thanks for any idea or tutorials links :)

Log in to reply