Suricata alert only option

steph78630 · 13 November 2025 14:25

Suricata is powerful, efficient, and comprehensive, but with the multitude of rules available, I admit I get lost and generate many false positives.

I discovered that in the initial project, the “alert only” option could be enabled (it allows alerts without blocking, which seems perfect for testing and adding exceptions before production deployment).

Could this “alert only” option be integrated into IPFire (or is it already integrated somewhere)?

Thank you for your answers.

bonnietwin · 13 November 2025 14:30

Select the edit pencil for the rules provider you want to only monitor and then enable the checkbox for Monitor traffic only.

steph78630 · 13 November 2025 14:37

Okay, I admit I wasn’t very good there.

As always, @bonnietwin relevant and super responsive, thank you very much !

bonnietwin · 13 November 2025 14:45

No problem. As the default is blocking it can be very easy to miss where it needs to be changed for monitoring.