]> git.ipfire.org Git - ipfire-2.x.git/blob - src/initscripts/system/suricata
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
suricata: Remove PID file on stop
[ipfire-2.x.git] / src / initscripts / system / suricata
1 #!/bin/sh
2 ########################################################################
3 # Begin $rc_base/init.d/suricata
4 #
5 # Description : Suricata Initscript
6 #
7 # Author : Stefan Schantl <stefan.schantl@ipfire.org>
8 #
9 # Version : 01.01
10 #
11 # Notes :
12 #
13 ########################################################################
14
15 . /etc/sysconfig/rc
16 . ${rc_functions}
17
18 PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
19
20 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
21 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
22
23 # Name of the firewall chains.
24 IPS_INPUT_CHAIN="IPS_INPUT"
25 IPS_FORWARD_CHAIN="IPS_FORWARD"
26 IPS_OUTPUT_CHAIN="IPS_OUTPUT"
27
28 # Optional options for the Netfilter queue.
29 NFQ_OPTS="--queue-bypass "
30
31 # Array containing the 4 possible network zones.
32 network_zones=( red green blue orange )
33
34 # Array to store the network zones weather the IPS is enabled for.
35 enabled_ips_zones=()
36
37 # Mark and Mask options.
38 MARK="0x70000000"
39 MASK="0x70000000"
40
41 # PID file of suricata.
42 PID_FILE="/var/run/suricata.pid"
43
44 # Function to get the amount of CPU cores of the system.
45 function get_cpu_count {
46 CPUCOUNT=0
47
48 # Loop through "/proc/cpuinfo" and count the amount of CPU cores.
49 while read line; do
50 [ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT++))
51 done </proc/cpuinfo
52
53 echo $CPUCOUNT
54 }
55
56 # Function to flush the firewall chains.
57 function flush_fw_chain {
58 # Call iptables and flush the chains
59 iptables -F "$IPS_INPUT_CHAIN"
60 iptables -F "$IPS_FORWARD_CHAIN"
61 iptables -F "$IPS_OUTPUT_CHAIN"
62 }
63
64 # Function to create the firewall rules to pass the traffic to suricata.
65 function generate_fw_rules {
66 cpu_count=$(get_cpu_count)
67
68 # Loop through the array of network zones.
69 for zone in "${network_zones[@]}"; do
70 # Convert zone into upper case.
71 zone_upper=${zone^^}
72
73 # Generate variable name for checking if the IDS is
74 # enabled on the zone.
75 enable_ids_zone="ENABLE_IDS_$zone_upper"
76
77 # Check if the IDS is enabled for this network zone.
78 if [ "${!enable_ids_zone}" == "on" ]; then
79 # Check if the current processed zone is "red" and the configured type is PPPoE dialin.
80 if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
81 # Set device name to ppp0.
82 network_device="ppp0"
83 else
84 # Generate variable name which contains the device name.
85 zone_name="$zone_upper"
86 zone_name+="_DEV"
87
88 # Grab device name.
89 network_device=${!zone_name}
90 fi
91
92 # Add the network device to the array of enabled zones.
93 enabled_ips_zones+=( "$network_device" )
94 fi
95 done
96
97 # Assign NFQ_OPTS
98 NFQ_OPTIONS=$NFQ_OPTS
99
100 # Check if there are multiple cpu cores available.
101 if [ "$cpu_count" -gt "1" ]; then
102 # Balance beetween all queues.
103 NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))"
104 NFQ_OPTIONS+=" --queue-cpu-fanout"
105 else
106 # Send all packets to queue 0.
107 NFQ_OPTIONS+="--queue-num 0"
108 fi
109
110 # Flush the firewall chains.
111 flush_fw_chain
112
113 # Check if the array of enabled_ips_zones contains any elements.
114 if [[ ${enabled_ips_zones[@]} ]]; then
115 # Loop through the array and create firewall rules.
116 for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
117 # Create rules queue input and output related traffic and pass it to the IPS.
118 iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
119 iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
120
121 # Create rules which are required to handle forwarded traffic.
122 for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
123 iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
124 done
125 done
126
127 # Clear repeat bit, so that it does not confuse IPsec or QoS
128 iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
129 iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
130 iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
131 fi
132 }
133
134 case "$1" in
135 start)
136 # Get amount of CPU cores.
137 cpu_count=$(get_cpu_count)
138
139 # Numer of NFQUES.
140 NFQUEUES=
141
142 for i in $(seq 0 $((cpu_count-1)) ); do
143 NFQUEUES+="-q $i "
144 done
145
146 # Check if the IDS should be started.
147 if [ "$ENABLE_IDS" == "on" ]; then
148 # Start the IDS.
149 boot_mesg "Starting Intrusion Detection System..."
150 /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null
151 evaluate_retval
152
153 # Allow reading the pidfile.
154 chmod 644 $PID_FILE
155
156 # Flush the firewall chain
157 flush_fw_chain
158
159 # Generate firewall rules
160 generate_fw_rules
161 fi
162 ;;
163
164 stop)
165 boot_mesg "Stopping Intrusion Detection System..."
166 killproc -p $PID_FILE /var/run
167
168 # Flush firewall chain.
169 flush_fw_chain
170
171 # Remove suricata control socket.
172 rm /var/run/suricata/* >/dev/null 2>/dev/null
173
174 # Trash remain pid file if still exists.
175 rm -f $PID_FILE >/dev/null 2>/dev/null
176
177 # Don't report returncode of rm if suricata was not started
178 exit 0
179 ;;
180
181 status)
182 statusproc /usr/bin/suricata
183 ;;
184
185 restart)
186 $0 stop
187 $0 start
188 ;;
189 reload)
190 # Send SIGUSR2 to the suricata process to perform a reload
191 # of the ruleset.
192 kill -USR2 $(pidof suricata)
193
194 # Flush the firewall chain.
195 flush_fw_chain
196
197 # Generate firewall rules.
198 generate_fw_rules
199 ;;
200
201 *)
202 echo "Usage: $0 {start|stop|restart|reload|status}"
203 exit 1
204 ;;
205 esac
206
207 chmod 644 /var/log/suricata/* 2>/dev/null
208
209 # End $rc_base/init.d/suricata
IPFire 2.x development tree