]>
Commit | Line | Data |
---|---|---|
d72b3e64 SS |
1 | #!/bin/sh |
2 | ######################################################################## | |
3 | # Begin $rc_base/init.d/suricata | |
4 | # | |
5 | # Description : Suricata Initscript | |
6 | # | |
7 | # Author : Stefan Schantl <stefan.schantl@ipfire.org> | |
8 | # | |
9 | # Version : 01.00 | |
10 | # | |
11 | # Notes : | |
12 | # | |
13 | ######################################################################## | |
14 | ||
15 | . /etc/sysconfig/rc | |
16 | . ${rc_functions} | |
17 | ||
18 | PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH | |
19 | ||
d72b3e64 | 20 | eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) |
e8a28edb | 21 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
d72b3e64 | 22 | |
3c2c5483 SS |
23 | # Name of the firewall chain. |
24 | FW_CHAIN="IPS" | |
25 | ||
26 | # Optional options for the Netfilter queue. | |
27 | NFQ_OPTS="--queue-bypass " | |
28 | ||
29 | # Array containing the 4 possible network zones. | |
30 | network_zones=( red green blue orange ) | |
31 | ||
32 | # Mark and Mask options. | |
5d04cfe7 MT |
33 | MARK="0x70000000" |
34 | MASK="0x70000000" | |
3c2c5483 | 35 | |
00a03114 SS |
36 | # PID file of suricata. |
37 | PID_FILE="/var/run/suricata.pid" | |
38 | ||
c9b07d6a SS |
39 | # Function to get the amount of CPU cores of the system. |
40 | function get_cpu_count { | |
41 | CPUCOUNT=0 | |
42 | ||
43 | # Loop through "/proc/cpuinfo" and count the amount of CPU cores. | |
44 | while read line; do | |
45 | [ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT++)) | |
46 | done </proc/cpuinfo | |
47 | ||
48 | echo $CPUCOUNT | |
49 | } | |
50 | ||
51 | # Function to create the firewall rules to pass the traffic to suricata. | |
52 | function generate_fw_rules { | |
53 | cpu_count=$(get_cpu_count) | |
54 | ||
55 | # Flush the firewall chain. | |
56 | iptables -F "$FW_CHAIN" | |
57 | ||
58 | # Loop through the array of network zones. | |
59 | for zone in "${network_zones[@]}"; do | |
60 | # Convert zone into upper case. | |
61 | zone_upper=${zone^^} | |
62 | ||
63 | # Generate variable name for checking if the IDS is | |
64 | # enabled on the zone. | |
65 | enable_ids_zone="ENABLE_IDS_$zone_upper" | |
66 | ||
67 | # Check if the IDS is enabled for this network zone. | |
68 | if [ "${!enable_ids_zone}" == "on" ]; then | |
e8a28edb SS |
69 | # Check if the current processed zone is "red" and the configured type is PPPoE dialin. |
70 | if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then | |
71 | # Set device name to ppp0. | |
72 | network_device="ppp0" | |
73 | else | |
74 | # Generate variable name which contains the device name. | |
75 | zone_name="$zone_upper" | |
76 | zone_name+="_DEV" | |
77 | ||
78 | # Grab device name. | |
79 | network_device=${!zone_name} | |
80 | fi | |
c9b07d6a SS |
81 | |
82 | # Assign NFQ_OPTS | |
83 | NFQ_OPTIONS=$NFQ_OPTS | |
84 | ||
85 | # Check if there are multiple cpu cores available. | |
86 | if [ "$cpu_count" -gt "1" ]; then | |
87 | # Balance beetween all queues. | |
4d093b81 MT |
88 | NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" |
89 | NFQ_OPTIONS+=" --queue-cpu-fanout" | |
c9b07d6a SS |
90 | else |
91 | # Send all packets to queue 0. | |
92 | NFQ_OPTIONS+="--queue-num 0" | |
93 | fi | |
94 | ||
95 | # Create firewall rules to queue the traffic and pass to | |
96 | # the IDS. | |
97 | iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS | |
98 | iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS | |
99 | fi | |
100 | done | |
5d04cfe7 MT |
101 | |
102 | # Clear repeat bit, so that it does not confuse IPsec or QoS | |
103 | iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" | |
c9b07d6a SS |
104 | } |
105 | ||
106 | # Function to flush the firewall chain. | |
107 | function flush_fw_chain { | |
108 | # Call iptables and flush the chain | |
109 | iptables -F "$FW_CHAIN" | |
110 | } | |
111 | ||
d72b3e64 SS |
112 | case "$1" in |
113 | start) | |
114 | # Get amount of CPU cores. | |
c9b07d6a SS |
115 | cpu_count=$(get_cpu_count) |
116 | ||
117 | # Numer of NFQUES. | |
d72b3e64 | 118 | NFQUEUES= |
c9b07d6a | 119 | |
e776d33c | 120 | for i in $(seq 0 $((cpu_count-1)) ); do |
c9b07d6a SS |
121 | NFQUEUES+="-q $i " |
122 | done | |
d72b3e64 | 123 | |
3c2c5483 SS |
124 | # Check if the IDS should be started. |
125 | if [ "$ENABLE_IDS" == "on" ]; then | |
3c2c5483 SS |
126 | # Start the IDS. |
127 | boot_mesg "Starting Intrusion Detection System..." | |
af006569 | 128 | /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null |
3c2c5483 | 129 | evaluate_retval |
00a03114 SS |
130 | |
131 | # Allow reading the pidfile. | |
132 | chmod 644 $PID_FILE | |
c9b07d6a SS |
133 | |
134 | # Flush the firewall chain | |
135 | flush_fw_chain | |
136 | ||
137 | # Generate firewall rules | |
138 | generate_fw_rules | |
3c2c5483 | 139 | fi |
d72b3e64 SS |
140 | ;; |
141 | ||
142 | stop) | |
143 | boot_mesg "Stopping Intrusion Detection System..." | |
00a03114 | 144 | killproc -p $PID_FILE /var/run |
d72b3e64 | 145 | |
3c2c5483 | 146 | # Flush firewall chain. |
c9b07d6a | 147 | flush_fw_chain |
3c2c5483 | 148 | |
d72b3e64 SS |
149 | # Remove suricata control socket. |
150 | rm /var/run/suricata/* >/dev/null 2>/dev/null | |
151 | ||
152 | # Don't report returncode of rm if suricata was not started | |
153 | exit 0 | |
154 | ;; | |
155 | ||
156 | status) | |
157 | statusproc /usr/bin/suricata | |
158 | ;; | |
159 | ||
160 | restart) | |
161 | $0 stop | |
162 | $0 start | |
163 | ;; | |
6187da50 SS |
164 | reload) |
165 | # Send SIGUSR2 to the suricata process to perform a reload | |
166 | # of the ruleset. | |
167 | kill -USR2 $(pidof suricata) | |
c9b07d6a SS |
168 | |
169 | # Flush the firewall chain. | |
170 | flush_fw_chain | |
171 | ||
172 | # Generate firewall rules. | |
173 | generate_fw_rules | |
6187da50 | 174 | ;; |
d72b3e64 SS |
175 | |
176 | *) | |
6187da50 | 177 | echo "Usage: $0 {start|stop|restart|reload|status}" |
d72b3e64 SS |
178 | exit 1 |
179 | ;; | |
180 | esac | |
181 | ||
182 | chmod 644 /var/log/suricata/* 2>/dev/null | |
183 | ||
184 | # End $rc_base/init.d/suricata |