]> git.ipfire.org Git - people/mfischer/ipfire-2.x.git/blob - src/initscripts/system/suricata
projects / people / mfischer / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core164: exclude boot/uEnv.txt
[people/mfischer/ipfire-2.x.git] / src / initscripts / system / suricata
1 #!/bin/sh
2 ########################################################################
3 # Begin $rc_base/init.d/suricata
4 #
5 # Description : Suricata Initscript
6 #
7 # Author : Stefan Schantl <stefan.schantl@ipfire.org>
8 #
9 # Version : 01.03
10 #
11 # Notes :
12 #
13 ########################################################################
14
15 . /etc/sysconfig/rc
16 . ${rc_functions}
17
18 PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
19
20 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
21 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
22
23 # Name of the firewall chains.
24 IPS_INPUT_CHAIN="IPS_INPUT"
25 IPS_FORWARD_CHAIN="IPS_FORWARD"
26 IPS_OUTPUT_CHAIN="IPS_OUTPUT"
27
28 # Optional options for the Netfilter queue.
29 NFQ_OPTS="--queue-bypass "
30
31 # Array containing the 4 possible network zones.
32 network_zones=( red green blue orange ovpn )
33
34 # Array to store the network zones weather the IPS is enabled for.
35 enabled_ips_zones=()
36
37 # PID file of suricata.
38 PID_FILE="/var/run/suricata.pid"
39
40 # Function to get the amount of CPU cores of the system.
41 function get_cpu_count {
42 CPUCOUNT=0
43
44 # Loop through "/proc/cpuinfo" and count the amount of CPU cores.
45 while read line; do
46 [ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT++))
47 done </proc/cpuinfo
48
49 # Limit to a maximum of 16 cores, because suricata does not support more than
50 # 16 netfilter queues at the moment.
51 if [ $CPUCOUNT -gt "16" ]; then
52 echo "16"
53 else
54 echo $CPUCOUNT
55 fi
56 }
57
58 # Function to flush the firewall chains.
59 function flush_fw_chain {
60 # Call iptables and flush the chains
61 iptables -w -F "$IPS_INPUT_CHAIN"
62 iptables -w -F "$IPS_FORWARD_CHAIN"
63 iptables -w -F "$IPS_OUTPUT_CHAIN"
64 }
65
66 # Function to create the firewall rules to pass the traffic to suricata.
67 function generate_fw_rules {
68 cpu_count=$(get_cpu_count)
69
70 # Loop through the array of network zones.
71 for zone in "${network_zones[@]}"; do
72 # Convert zone into upper case.
73 zone_upper=${zone^^}
74
75 # Generate variable name for checking if the IDS is
76 # enabled on the zone.
77 enable_ids_zone="ENABLE_IDS_$zone_upper"
78
79 # Check if the IDS is enabled for this network zone.
80 if [ "${!enable_ids_zone}" == "on" ]; then
81 # Check if the current processed zone is "red" and the configured type is PPPoE dialin.
82 if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
83 # Set device name to ppp0.
84 network_device="ppp0"
85 elif [ "$zone" == "ovpn" ]; then
86 # Get all virtual net devices because the RW server and each
87 # N2N connection creates it's own tun device.
88 for virt_dev in /sys/devices/virtual/net/*; do
89 # Cut-off the directory.
90 dev="${virt_dev##*/}"
91
92 # Only process tun devices.
93 if [[ $dev =~ "tun" ]]; then
94 # Add the network device to the array of enabled zones.
95 enabled_ips_zones+=( "$dev" )
96 fi
97 done
98
99 # Process next zone.
100 continue
101 else
102 # Generate variable name which contains the device name.
103 zone_name="$zone_upper"
104 zone_name+="_DEV"
105
106 # Grab device name.
107 network_device=${!zone_name}
108 fi
109
110 # Add the network device to the array of enabled zones.
111 enabled_ips_zones+=( "$network_device" )
112 fi
113 done
114
115 # Assign NFQ_OPTS
116 NFQ_OPTIONS=$NFQ_OPTS
117
118 # Check if there are multiple cpu cores available.
119 if [ "$cpu_count" -gt "1" ]; then
120 # Balance beetween all queues.
121 NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))"
122 NFQ_OPTIONS+=" --queue-cpu-fanout"
123 else
124 # Send all packets to queue 0.
125 NFQ_OPTIONS+="--queue-num 0"
126 fi
127
128 # Flush the firewall chains.
129 flush_fw_chain
130
131 # Check if the array of enabled_ips_zones contains any elements.
132 if [[ ${enabled_ips_zones[@]} ]]; then
133 # Loop through the array and create firewall rules.
134 for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
135 # Create rules queue input and output related traffic and pass it to the IPS.
136 iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
137 iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
138
139 # Create rules which are required to handle forwarded traffic.
140 for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
141 iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS
142 done
143 done
144 fi
145 }
146
147 case "$1" in
148 start)
149 # Get amount of CPU cores.
150 cpu_count=$(get_cpu_count)
151
152 # Numer of NFQUES.
153 NFQUEUES="-q 0"
154
155 if [ $cpu_count -gt "1" ]; then
156 NFQUEUES+=":$(($cpu_count-1))"
157 fi
158
159 # Check if the IDS should be started.
160 if [ "$ENABLE_IDS" == "on" ]; then
161 # Start the IDS.
162 boot_mesg "Starting Intrusion Detection System..."
163 /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null
164 evaluate_retval
165
166 # Allow reading the pidfile.
167 chmod 644 $PID_FILE
168
169 # Flush the firewall chain
170 flush_fw_chain
171
172 # Generate firewall rules
173 generate_fw_rules
174 fi
175 ;;
176
177 stop)
178 boot_mesg "Stopping Intrusion Detection System..."
179 killproc -p $PID_FILE /var/run
180
181 # Flush firewall chain.
182 flush_fw_chain
183
184 # Sometimes suricata not correct shutdown. So killall.
185 killall -KILL /usr/bin/suricata 2>/dev/null
186
187 # Remove suricata control socket.
188 rm /var/run/suricata/* >/dev/null 2>/dev/null
189
190 # Trash remain pid file if still exists.
191 rm -f $PID_FILE >/dev/null 2>/dev/null
192
193 # Don't report returncode of rm if suricata was not started
194 exit 0
195 ;;
196
197 status)
198 statusproc /usr/bin/suricata
199 ;;
200
201 restart)
202 $0 stop
203 $0 start
204 ;;
205 reload)
206 # Send SIGUSR2 to the suricata process to perform a reload
207 # of the ruleset.
208 kill -USR2 $(pidof suricata)
209
210 # Flush the firewall chain.
211 flush_fw_chain
212
213 # Generate firewall rules.
214 generate_fw_rules
215 ;;
216
217 *)
218 echo "Usage: $0 {start|stop|restart|reload|status}"
219 exit 1
220 ;;
221 esac
222
223 chmod 644 /var/log/suricata/* 2>/dev/null
224
225 # End $rc_base/init.d/suricata
Matthias' tree of IPFire 2.x