There is absolutely nothing logged when suricata starts blocking a host. It is *crucial* for the IPS that it is clear at all times what is being filtered and why.
I've got the following output in "/var/log/suricata/fast.log" when doing a nmap scan of the host running suricata. 08/30/2018-15:06:54.713489 [Drop] [**] [1:2009582:3] ET SCAN NMAP -sS window 1024 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:53 08/30/2018-15:06:55.814801 [Drop] [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:22 08/30/2018-15:06:55.916797 [Drop] [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:3306 08/30/2018-15:06:56.017219 [Drop] [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:3306 08/30/2018-15:07:01.131415 [Drop] [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:1521 08/30/2018-15:07:01.231743 [Drop] [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:1521 08/30/2018-15:07:02.751242 [Drop] [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5432 08/30/2018-15:07:02.851348 [Drop] [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:5432 08/30/2018-15:07:04.534581 [Drop] [**] [1:2002910:6] ET SCAN Potential VNC Scan 5800-5820 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5811 08/30/2018-15:07:05.757545 [Drop] [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:1433 08/30/2018-15:07:05.857813 [Drop] [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.122.1:46401 -> 192.168.122.222:1433 08/30/2018-15:07:07.146893 [Drop] [**] [1:2002911:6] ET SCAN Potential VNC Scan 5900-5920 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.122.1:46400 -> 192.168.122.222:5907 08/30/2018-15:07:16.018422 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377 08/30/2018-15:07:16.143989 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377 08/30/2018-15:07:16.244646 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377 08/30/2018-15:07:16.345133 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:32377 08/30/2018-15:07:17.549029 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773 08/30/2018-15:07:17.649500 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773 08/30/2018-15:07:17.799898 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773 08/30/2018-15:07:17.924995 [Drop] [**] [1:2018489:3] ET SCAN NMAP OS Detection Probe [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.122.1:40024 -> 192.168.122.222:39773
My log was entirely empty.
This was okay in the last image I tested, so I have no idea if we need to do anything about this...