I’m using Suricata IPS Mode on GCP behind Network Load Balancer, This solution is working for me as an Egress filtering solution, But this issue is Suricata service doesn’t listen on any port, that way my load balancer health check are falling There no port in listening state. I understand Suricata directly reads the packets from the network interface or we can forward using NFQ, but is there any way we can run the Suricata service on any port so it will be easy for me to check whether the Suricata service is running or not?
you might need to write your own wrapping around that, you can use
suricatasc (unix socket) to query counters or stats in Suricata and try to expose this to a script/tool that your health check could look for.
I would not expose Suricata directly to an open port.
Yes I have created one systemd service that always query
suricatasc (unix socket) to check service health and alongside with systemd service also runs one
socat daemon port to pass the LB health check.
Thanks, @Andreas_Herz for the quick guidance!