]>
Commit | Line | Data |
---|---|---|
d72b3e64 SS |
1 | #!/bin/sh |
2 | ######################################################################## | |
3 | # Begin $rc_base/init.d/suricata | |
4 | # | |
5 | # Description : Suricata Initscript | |
6 | # | |
7 | # Author : Stefan Schantl <stefan.schantl@ipfire.org> | |
8 | # | |
9 | # Version : 01.00 | |
10 | # | |
11 | # Notes : | |
12 | # | |
13 | ######################################################################## | |
14 | ||
15 | . /etc/sysconfig/rc | |
16 | . ${rc_functions} | |
17 | ||
18 | PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH | |
19 | ||
d72b3e64 SS |
20 | eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) |
21 | ||
3c2c5483 SS |
22 | # Name of the firewall chain. |
23 | FW_CHAIN="IPS" | |
24 | ||
25 | # Optional options for the Netfilter queue. | |
26 | NFQ_OPTS="--queue-bypass " | |
27 | ||
28 | # Array containing the 4 possible network zones. | |
29 | network_zones=( red green blue orange ) | |
30 | ||
31 | # Mark and Mask options. | |
f5ad510e SS |
32 | MARK="0x2" |
33 | MASK="0x2" | |
3c2c5483 | 34 | |
00a03114 SS |
35 | # PID file of suricata. |
36 | PID_FILE="/var/run/suricata.pid" | |
37 | ||
d72b3e64 SS |
38 | case "$1" in |
39 | start) | |
40 | # Get amount of CPU cores. | |
41 | NFQUEUES= | |
42 | CPUCOUNT=0 | |
43 | while read line; do | |
44 | [ "$line" ] && [ -z "${line%processor*}" ] && NFQUEUES+="-q $CPUCOUNT " && ((CPUCOUNT++)) | |
45 | done </proc/cpuinfo | |
46 | ||
3c2c5483 SS |
47 | # Check if the IDS should be started. |
48 | if [ "$ENABLE_IDS" == "on" ]; then | |
49 | # Loop through the array of network zones. | |
50 | for zone in "${network_zones[@]}"; do | |
51 | # Convert zone into upper case. | |
52 | zone_upper=${zone^^} | |
53 | ||
55658ee3 SS |
54 | # Generate variable name for checking if the IDS is |
55 | # enabled on the zone. | |
56 | enable_ids_zone="ENABLE_IDS_$zone_upper" | |
57 | ||
3c2c5483 | 58 | # Check if the IDS is enabled for this network zone. |
55658ee3 | 59 | if [ "${!enable_ids_zone}" == "on" ]; then |
3c2c5483 SS |
60 | # Generate name of the network interface. |
61 | network_device=$zone | |
62 | network_device+="0" | |
63 | ||
64 | # Assign NFQ_OPTS | |
65 | NFQ_OPTIONS=$NFQ_OPTS | |
66 | ||
67 | # Check if there are multiple cpu cores available. | |
5f630673 | 68 | if [ "$CPUCOUNT" -gt "1" ]; then |
3c2c5483 SS |
69 | # Balance beetween all queues. |
70 | NFQ_OPTIONS+="--queue-balance 0:" | |
71 | NFQ_OPTIONS+=$(($CPUCOUNT-1)) | |
72 | else | |
73 | # Send all packets to queue 0. | |
74 | NFQ_OPTIONS+="--queue-num 0" | |
75 | fi | |
76 | ||
77 | # Create firewall rules to queue the traffic and pass to | |
78 | # the IDS. | |
55658ee3 SS |
79 | iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS |
80 | iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS | |
3c2c5483 SS |
81 | fi |
82 | done | |
83 | ||
84 | # Start the IDS. | |
85 | boot_mesg "Starting Intrusion Detection System..." | |
86 | /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES | |
87 | evaluate_retval | |
00a03114 SS |
88 | |
89 | # Allow reading the pidfile. | |
90 | chmod 644 $PID_FILE | |
3c2c5483 | 91 | fi |
d72b3e64 SS |
92 | ;; |
93 | ||
94 | stop) | |
95 | boot_mesg "Stopping Intrusion Detection System..." | |
00a03114 | 96 | killproc -p $PID_FILE /var/run |
d72b3e64 | 97 | |
3c2c5483 SS |
98 | # Flush firewall chain. |
99 | iptables -F $FW_CHAIN | |
100 | ||
d72b3e64 SS |
101 | # Remove suricata control socket. |
102 | rm /var/run/suricata/* >/dev/null 2>/dev/null | |
103 | ||
104 | # Don't report returncode of rm if suricata was not started | |
105 | exit 0 | |
106 | ;; | |
107 | ||
108 | status) | |
109 | statusproc /usr/bin/suricata | |
110 | ;; | |
111 | ||
112 | restart) | |
113 | $0 stop | |
114 | $0 start | |
115 | ;; | |
6187da50 SS |
116 | reload) |
117 | # Send SIGUSR2 to the suricata process to perform a reload | |
118 | # of the ruleset. | |
119 | kill -USR2 $(pidof suricata) | |
120 | ;; | |
d72b3e64 SS |
121 | |
122 | *) | |
6187da50 | 123 | echo "Usage: $0 {start|stop|restart|reload|status}" |
d72b3e64 SS |
124 | exit 1 |
125 | ;; | |
126 | esac | |
127 | ||
128 | chmod 644 /var/log/suricata/* 2>/dev/null | |
129 | ||
130 | # End $rc_base/init.d/suricata |