Hello,
I am using IDS/IPS in divert mode. It works correctly while the service is running. However, when I stop the IDS/IPS service, the rules no longer work. For example, I am not able to SSH to the server even though it should be allow by my rules.
Does it a bug?
Its not a bug, you divert the paket decisions to a different service, if its not running nobody can decide, there is no fallback for obvious reasons (what if somebody maliciously stops your IDS service for example)
Since diverting to IDS is handled by explicit firewall rules you could exempt local management traffic from the IDS.
Quote from: Monviech (Cedrik) on April 02, 2026, 12:04:40 PMIts not a bug, you divert the paket decisions to a different service, if its not running nobody can decide, there is no fallback for obvious reasons (what if somebody maliciously stops your IDS service for example)
oh, I get it but I think it will cause some impact if we need maintenance Suricata such as restart it.
Quote from: Patrick M. Hausen on April 02, 2026, 12:11:02 PMSince diverting to IDS is handled by explicit firewall rules you could exempt local management traffic from the IDS.
OK, Thank you for advice. I am planning to enable IPS for all rules.