[ipfire-2.x.git] / src / initscripts / system / suricata

#!/bin/sh
########################################################################
# Begin $rc_base/init.d/suricata
#
# Description : Suricata Initscript
#
# Author      : Stefan Schantl <stefan.schantl@ipfire.org>
#
# Version     : 01.00
#
# Notes       :
#
########################################################################

. /etc/sysconfig/rc
. ${rc_functions}

PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH

eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)

# Name of the firewall chain.
FW_CHAIN="IPS"

# Optional options for the Netfilter queue.
NFQ_OPTS="--queue-bypass "

# Array containing the 4 possible network zones.
network_zones=( red green blue orange )

# Mark and Mask options.
MARK="0x2"
MASK="0x2"

# PID file of suricata.
PID_FILE="/var/run/suricata.pid"

case "$1" in
        start)
		# Get amount of CPU cores.
		NFQUEUES=
		CPUCOUNT=0
		while read line; do
			[ "$line" ] && [ -z "${line%processor*}" ] && NFQUEUES+="-q $CPUCOUNT " && ((CPUCOUNT++))
		done </proc/cpuinfo

		# Check if the IDS should be started.
		if [ "$ENABLE_IDS" == "on" ]; then
			# Loop through the array of network zones.
			for zone in "${network_zones[@]}"; do
				# Convert zone into upper case.
				zone_upper=${zone^^}

				# Generate variable name for checking if the IDS is
				# enabled on the zone.
				enable_ids_zone="ENABLE_IDS_$zone_upper"

				# Check if the IDS is enabled for this network zone.
				if [ "${!enable_ids_zone}" == "on" ]; then
					# Generate name of the network interface.
					network_device=$zone
					network_device+="0"

					# Assign NFQ_OPTS
					NFQ_OPTIONS=$NFQ_OPTS

					# Check if there are multiple cpu cores available.
					if [ "$CPUCOUNT" -gt "1" ]; then
						# Balance beetween all queues.
						NFQ_OPTIONS+="--queue-balance 0:"
						NFQ_OPTIONS+=$(($CPUCOUNT-1))
					else
						# Send all packets to queue 0.
						NFQ_OPTIONS+="--queue-num 0"
					fi

					# Create firewall rules to queue the traffic and pass to
					# the IDS.
					iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
					iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
				fi
			done

			# Start the IDS.
			boot_mesg "Starting Intrusion Detection System..."
			/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
			evaluate_retval

			# Allow reading the pidfile.
			chmod 644 $PID_FILE
		fi
	;;

        stop)
		boot_mesg "Stopping Intrusion Detection System..."
		killproc -p $PID_FILE /var/run

		# Flush firewall chain.
		iptables -F $FW_CHAIN

		# Remove suricata control socket.              
		rm /var/run/suricata/* >/dev/null 2>/dev/null

		# Don't report returncode of rm if suricata was not started
		exit 0
        ;;
                
        status)
                statusproc /usr/bin/suricata
                ;;
                
        restart)
                $0 stop
                $0 start
                ;;
	reload)
		# Send SIGUSR2 to the suricata process to perform a reload
		# of the ruleset.
		kill -USR2 $(pidof suricata)
		;;
                
        *)
                echo "Usage: $0 {start|stop|restart|reload|status}"
                exit 1
                ;;
esac

chmod 644 /var/log/suricata/* 2>/dev/null

# End $rc_base/init.d/suricata
Commit	Line	Data
d72b3e64 SS	1	#!/bin/sh
	2	########################################################################
	3	# Begin $rc_base/init.d/suricata
	4	#
	5	# Description : Suricata Initscript
	6	#
	7	# Author : Stefan Schantl <stefan.schantl@ipfire.org>
	8	#
	9	# Version : 01.00
	10	#
	11	# Notes :
	12	#
	13	########################################################################
	14
	15	. /etc/sysconfig/rc
	16	. ${rc_functions}
	17
	18	PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
	19
d72b3e64 SS	20	eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
d72b3e64 SS	21
3c2c5483 SS	22	# Name of the firewall chain.
	23	FW_CHAIN="IPS"
	24
	25	# Optional options for the Netfilter queue.
	26	NFQ_OPTS="--queue-bypass "
	27
	28	# Array containing the 4 possible network zones.
	29	network_zones=( red green blue orange )
	30
	31	# Mark and Mask options.
f5ad510e SS	32	MARK="0x2"
f5ad510e SS	33	MASK="0x2"
3c2c5483	34
00a03114 SS	35	# PID file of suricata.
	36	PID_FILE="/var/run/suricata.pid"
	37
d72b3e64 SS	38	case "$1" in
	39	start)
	40	# Get amount of CPU cores.
	41	NFQUEUES=
	42	CPUCOUNT=0
	43	while read line; do
	44	[ "$line" ] && [ -z "${line%processor*}" ] && NFQUEUES+="-q $CPUCOUNT " && ((CPUCOUNT++))
	45	done </proc/cpuinfo
	46
3c2c5483 SS	47	# Check if the IDS should be started.
	48	if [ "$ENABLE_IDS" == "on" ]; then
	49	# Loop through the array of network zones.
	50	for zone in "${network_zones[@]}"; do
	51	# Convert zone into upper case.
	52	zone_upper=${zone^^}
	53
55658ee3 SS	54	# Generate variable name for checking if the IDS is
	55	# enabled on the zone.
	56	enable_ids_zone="ENABLE_IDS_$zone_upper"
	57
3c2c5483	58	# Check if the IDS is enabled for this network zone.
55658ee3	59	if [ "${!enable_ids_zone}" == "on" ]; then
3c2c5483 SS	60	# Generate name of the network interface.
	61	network_device=$zone
	62	network_device+="0"
	63
	64	# Assign NFQ_OPTS
	65	NFQ_OPTIONS=$NFQ_OPTS
	66
	67	# Check if there are multiple cpu cores available.
5f630673	68	if [ "$CPUCOUNT" -gt "1" ]; then
3c2c5483 SS	69	# Balance beetween all queues.
	70	NFQ_OPTIONS+="--queue-balance 0:"
	71	NFQ_OPTIONS+=$(($CPUCOUNT-1))
	72	else
	73	# Send all packets to queue 0.
	74	NFQ_OPTIONS+="--queue-num 0"
	75	fi
	76
	77	# Create firewall rules to queue the traffic and pass to
	78	# the IDS.
55658ee3 SS	79	iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
55658ee3 SS	80	iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
3c2c5483 SS	81	fi
	82	done
	83
	84	# Start the IDS.
	85	boot_mesg "Starting Intrusion Detection System..."
	86	/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
	87	evaluate_retval
00a03114 SS	88
	89	# Allow reading the pidfile.
	90	chmod 644 $PID_FILE
3c2c5483	91	fi
d72b3e64 SS	92	;;
	93
	94	stop)
	95	boot_mesg "Stopping Intrusion Detection System..."
00a03114	96	killproc -p $PID_FILE /var/run
d72b3e64	97
3c2c5483 SS	98	# Flush firewall chain.
	99	iptables -F $FW_CHAIN
	100
d72b3e64 SS	101	# Remove suricata control socket.
	102	rm /var/run/suricata/* >/dev/null 2>/dev/null
	103
	104	# Don't report returncode of rm if suricata was not started
	105	exit 0
	106	;;
	107
	108	status)
	109	statusproc /usr/bin/suricata
	110	;;
	111
	112	restart)
	113	$0 stop
	114	$0 start
	115	;;
6187da50 SS	116	reload)
	117	# Send SIGUSR2 to the suricata process to perform a reload
	118	# of the ruleset.
	119	kill -USR2 $(pidof suricata)
	120	;;
d72b3e64 SS	121
d72b3e64 SS	122	*)
6187da50	123	echo "Usage: $0 {start\|stop\|restart\|reload\|status}"
d72b3e64 SS	124	exit 1
	125	;;
	126	esac
	127
	128	chmod 644 /var/log/suricata/* 2>/dev/null
	129
	130	# End $rc_base/init.d/suricata