Which action is specified for a suspicious packet?

When a packet is labeled suspicious, the safest, most flexible approach is to wait for more context before acting. Logging or dropping right away can cause problems: logging alone creates noise and consumes resources, while dropping legitimate traffic because a packet looks suspicious can disrupt users and applications if the suspicion is a false positive. By not committing to either action at this stage, the policy allows deeper analysis, correlation with other events, or manual review to determine whether the traffic is truly harmful. In many security setups, suspicious traffic is flagged for investigation, but the packet itself isn’t automatically blocked or logged unless additional evidence confirms a threat. That’s why the best choice is to take no immediate action here. Logging or dropping in isolation would either overwhelm the system with data or risk blocking legitimate traffic without sufficient justification.