Problem with IPS/IDS Divert Mode

Started by nhk, April 02, 2026, 11:18:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 02, 2026, 11:18:59 AM
Hello,

I am using IDS/IPS in divert mode. It works correctly while the service is running. However, when I stop the IDS/IPS service, the rules no longer work. For example, I am not able to SSH to the server even though it should be allow by my rules.

Does it a bug?
April 02, 2026, 12:04:40 PM #1
Its not a bug, you divert the paket decisions to a different service, if its not running nobody can decide, there is no fallback for obvious reasons (what if somebody maliciously stops your IDS service for example)
Hardware:
DEC740
April 02, 2026, 12:11:02 PM #2
Since diverting to IDS is handled by explicit firewall rules you could exempt local management traffic from the IDS.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 03, 2026, 12:11:22 AM #3
Quote from: Monviech (Cedrik) on April 02, 2026, 12:04:40 PMIts not a bug, you divert the paket decisions to a different service, if its not running nobody can decide, there is no fallback for obvious reasons (what if somebody maliciously stops your IDS service for example)

oh, I get it but I think it will cause some impact if we need maintenance Suricata such as restart it.
April 03, 2026, 12:15:31 AM #4
Quote from: Patrick M. Hausen on April 02, 2026, 12:11:02 PMSince diverting to IDS is handled by explicit firewall rules you could exempt local management traffic from the IDS.

OK, Thank you for advice. I am planning to enable IPS for all rules.
Print
Go Up Pages1
User actions