Please include the following information with your help request:
- Suricata version: 7.0 upgrading to 8.0
- Operating system and/or Linux distribution : Ubuntu 24.04/minimal
- How you installed Suricata (from source, packages, something else) - source
Currently we are using Suricata in IPS mode. We are going going to update over server with new NIC and our intension is to bypass Suricata automatically/ re route traffic in case server is not working or hanging. Appreciate your help to on configuration this setup.
If your suricata is built with systemd-notify support then you can configure systemd to look for suricata’s signal that startup is complete and it is ready for traffic.
This signal can then be used to trigger your bypass cards to exit bypass mode.
Something like this in your systemd unit for suricata:
#Enable bypass before startup
ExecStartPre=-/usr/local/sbin/<some tool to control bypass> <args>
#Disable bypass once notified suricata is ready
ExecStartPost=/usr/local/sbin/<some tool to control bypass> <args>
#Start bypass prior to shutdown
ExecStop=-/usr/local/sbin/<some tool to control bypass> <args>
#Ensure bypass is running after shutdown
ExecStopPost=-/usr/local/sbin/<some tool to control bypass> <args>
This will not guard against suricata crashing however - you would likely have an outage the length of time it took systemd to notice the process is gone and do a restart. You can shave that down using a sidecar unit that binds to the suricata process.