2 ########################################################################
3 # Begin $rc_base/init.d/suricata
5 # Description : Suricata Initscript
7 # Author : Stefan Schantl <stefan.schantl@ipfire.org>
13 ########################################################################
18 PATH
=/usr
/local
/sbin
:/usr
/local
/bin
:/bin
:/usr
/bin
:/sbin
:/usr
/sbin
; export PATH
20 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/suricata
/settings
)
21 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/ethernet
/settings
)
23 # Name of the firewall chains.
24 IPS_INPUT_CHAIN
="IPS_INPUT"
25 IPS_FORWARD_CHAIN
="IPS_FORWARD"
26 IPS_OUTPUT_CHAIN
="IPS_OUTPUT"
28 # Optional options for the Netfilter queue.
29 NFQ_OPTS
="--queue-bypass "
31 # Array containing the 4 possible network zones.
32 network_zones
=( red green blue orange ovpn
)
34 # Array to store the network zones weather the IPS is enabled for.
37 # Mark and Mask options.
38 REPEAT_MARK
="0x80000000"
39 REPEAT_MASK
="0x80000000"
40 BYPASS_MARK
="0x40000000"
41 BYPASS_MASK
="0x40000000"
43 # PID file of suricata.
44 PID_FILE
="/var/run/suricata.pid"
46 # Function to get the amount of CPU cores of the system.
47 function get_cpu_count
{
50 # Loop through "/proc/cpuinfo" and count the amount of CPU cores.
52 [ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT
++))
55 # Limit to a maximum of 16 cores, because suricata does not support more than
56 # 16 netfilter queues at the moment.
57 if [ $CPUCOUNT -gt "16" ]; then
64 # Function to flush the firewall chains.
65 function flush_fw_chain
{
66 # Call iptables and flush the chains
67 iptables
-w -F "$IPS_INPUT_CHAIN"
68 iptables
-w -F "$IPS_FORWARD_CHAIN"
69 iptables
-w -F "$IPS_OUTPUT_CHAIN"
72 # Function to create the firewall rules to pass the traffic to suricata.
73 function generate_fw_rules
{
74 cpu_count
=$
(get_cpu_count
)
76 # Loop through the array of network zones.
77 for zone
in "${network_zones[@]}"; do
78 # Convert zone into upper case.
81 # Generate variable name for checking if the IDS is
82 # enabled on the zone.
83 enable_ids_zone
="ENABLE_IDS_$zone_upper"
85 # Check if the IDS is enabled for this network zone.
86 if [ "${!enable_ids_zone}" == "on" ]; then
87 # Check if the current processed zone is "red" and the configured type is PPPoE dialin.
88 if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
89 # Set device name to ppp0.
91 elif [ "$zone" == "ovpn" ]; then
92 # Get all virtual net devices because the RW server and each
93 # N2N connection creates it's own tun device.
94 for virt_dev
in /sys
/devices
/virtual
/net
/*; do
95 # Cut-off the directory.
98 # Only process tun devices.
99 if [[ $dev =~
"tun" ]]; then
100 # Add the network device to the array of enabled zones.
101 enabled_ips_zones
+=( "$dev" )
108 # Generate variable name which contains the device name.
109 zone_name
="$zone_upper"
113 network_device
=${!zone_name}
116 # Add the network device to the array of enabled zones.
117 enabled_ips_zones
+=( "$network_device" )
122 NFQ_OPTIONS
=$NFQ_OPTS
124 # Check if there are multiple cpu cores available.
125 if [ "$cpu_count" -gt "1" ]; then
126 # Balance beetween all queues.
127 NFQ_OPTIONS
+="--queue-balance 0:$(($cpu_count-1))"
128 NFQ_OPTIONS
+=" --queue-cpu-fanout"
130 # Send all packets to queue 0.
131 NFQ_OPTIONS
+="--queue-num 0"
134 # Flush the firewall chains.
137 # Check if the array of enabled_ips_zones contains any elements.
138 if [[ ${enabled_ips_zones[@]} ]]; then
139 # Loop through the array and create firewall rules.
140 for enabled_ips_zone
in "${enabled_ips_zones[@]}"; do
141 # Create rules queue input and output related traffic and pass it to the IPS.
142 iptables
-w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark
! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE
$NFQ_OPTIONS
143 iptables
-w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark
! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE
$NFQ_OPTIONS
145 # Create rules which are required to handle forwarded traffic.
146 for enabled_ips_zone_forward
in "${enabled_ips_zones[@]}"; do
147 iptables
-w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark
! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE
$NFQ_OPTIONS
151 # Clear repeat bit, so that it does not confuse IPsec or QoS
152 iptables
-w -A "${IPS_INPUT_CHAIN}" -j MARK
--set-xmark "0x0/${REPEAT_MASK}"
153 iptables
-w -A "${IPS_FORWARD_CHAIN}" -j MARK
--set-xmark "0x0/${REPEAT_MASK}"
154 iptables
-w -A "${IPS_OUTPUT_CHAIN}" -j MARK
--set-xmark "0x0/${REPEAT_MASK}"
160 # Get amount of CPU cores.
161 cpu_count
=$
(get_cpu_count
)
166 if [ $cpu_count -gt "1" ]; then
167 NFQUEUES
+=":$(($cpu_count-1))"
170 # Check if the IDS should be started.
171 if [ "$ENABLE_IDS" == "on" ]; then
173 boot_mesg
"Starting Intrusion Detection System..."
174 /usr
/bin
/suricata
-c /etc
/suricata
/suricata.yaml
-D $NFQUEUES >/dev
/null
2>/dev
/null
177 # Allow reading the pidfile.
180 # Flush the firewall chain
183 # Generate firewall rules
189 boot_mesg
"Stopping Intrusion Detection System..."
190 killproc
-p $PID_FILE /var
/run
192 # Flush firewall chain.
195 # Sometimes suricata not correct shutdown. So killall.
196 killall
-KILL /usr
/bin
/suricata
2>/dev
/null
198 # Remove suricata control socket.
199 rm /var
/run
/suricata
/* >/dev
/null
2>/dev
/null
201 # Trash remain pid file if still exists.
202 rm -f $PID_FILE >/dev
/null
2>/dev
/null
204 # Don't report returncode of rm if suricata was not started
209 statusproc
/usr
/bin
/suricata
217 # Send SIGUSR2 to the suricata process to perform a reload
219 kill -USR2 $
(pidof suricata
)
221 # Flush the firewall chain.
224 # Generate firewall rules.
229 echo "Usage: $0 {start|stop|restart|reload|status}"
234 chmod 644 /var
/log
/suricata
/* 2>/dev
/null
236 # End $rc_base/init.d/suricata