Suricata

Firewall mode currently has no way to evaluate a rule set without enforcing it. Rules either accept or drop, and the default policy drops unmatched traffic. There is no equivalent of IDS alert-only mode for the firewall engine.

This is a blocker for safe policy deployment. Operators need to preview the effect of a new or modified firewall policy on production traffic before switching to enforcement. The typical workflow is: deploy rules → enable monitor mode → observe logs for hours/days → confirm no legitimate traffic would be blocked → switch to enforce mode.

Ask : A configuration option (in suricata.yaml or via a runtime flag) that puts the firewall engine into a non-enforcing "monitor" state. When enabled:

1. Firewall rules evaluate identically — same matching, same rule ordering, same table evaluation (pre_flow, pre_stream, main).
2. Drop/reject verdicts are suppressed — packets that would be dropped or rejected by a firewall rule are instead allowed to pass through. The default drop action for unmatched packets is also suppressed.
3. Alerts are generated — for every packet where a drop/reject verdict is suppressed, an alert (EVE JSON log entry) is generated indicating the rule that matched and the action that would have been taken. This gives operators full visibility into what enforcement mode would do.
4. Accept rules behave normally — packets matching accept rules pass through as usual.

• Changing all drop:* rules to alert doesn't work because firewall mode syntax doesn't support alert as an action — only accept and drop (with scope).
• Running in IDS mode instead doesn't work because IDS mode doesn't evaluate the firewall rule tables (pre_flow, pre_stream, main) or the default drop policy. The rule evaluation path is fundamentally different.
• Setting the default policy to ACCEPT (Section 4.5 of our requirements) only changes the unmatched-traffic behavior — it doesn't suppress explicit drop:* rule verdicts. Monitor mode needs to suppress all enforcement, including explicit drop rules.

Ideally the runtime toggle approach, so operators can switch between monitor and enforce on a live instance without restarting Suricata or reloading rules.