1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
#!/bin/sh -e
#
### BEGIN INIT INFO
# Provides: suricata
# Required-Start: $time $network $local_fs $remote_fs
# Required-Stop: $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Next Generation IDS/IPS
# Description: Intrusion detection system that will
# capture traffic from the network cards and will
# match against a set of known attacks.
### END INIT INFO
. /lib/lsb/init-functions
# Source function library.
if test -f /etc/default/suricata; then
. /etc/default/suricata
else
echo "/etc/default/suricata is missing... bailing out!"
fi
# We'll add up all the options above and use them
NAME=suricata
DAEMON=/usr/bin/$NAME
# Use this if you want the user to explicitly set 'RUN' in
# /etc/default/
if [ "x$RUN" != "xyes" ] ; then
log_failure_msg "$NAME disabled, please adjust the configuration to your needs "
log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it."
exit 0
fi
check_root() {
if [ "$(id -u)" != "0" ]; then
log_failure_msg "You must be root to start, stop or restart $NAME."
exit 4
fi
}
check_nfqueue() {
if [ ! \( -e /proc/net/netfilter/nfnetlink_queue -o -e /proc/net/netfilter/nf_queue \) ]; then
log_warning_msg "NFQUEUE support not found !"
log_warning_msg "Please ensure the nfnetlink_queue module is loaded or built in kernel"
fi
}
check_run_dir() {
if [ ! -d /var/run/suricata ]; then
mkdir /var/run/suricata
chmod 0755 /var/run/suricata
fi
}
check_root
case "$LISTENMODE" in
nfqueue)
IDMODE="IPS (nfqueue)"
LISTEN_OPTIONS=" -q $NFQUEUE"
check_nfqueue
;;
pcap)
IDMODE="IDS (pcap)"
LISTEN_OPTIONS=" -i $IFACE"
;;
af-packet)
IDMODE="IDS (af-packet)"
LISTEN_OPTIONS=" --af-packet"
;;
*)
echo "Unsupported listen mode $LISTENMODE, aborting"
exit 1
;;
esac
SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D"
# See how we were called.
case "$1" in
start)
if [ -f $PIDFILE ]; then
PID1=`cat $PIDFILE`
if kill -0 "$PID1" 2>/dev/null; then
echo "$NAME is already running with PID $PID1"
exit 0
fi
fi
check_run_dir
echo -n "Starting suricata in $IDMODE mode..."
if [ -f /usr/lib/libtcmalloc_minimal.so.0 ] && [ "x$TCMALLOC" = "xYES" ]; then
export LD_PRELOAD="/usr/lib/libtcmalloc_minimal.so.0"
#echo "Using googles tcmalloc for minor performance boost!?!"
fi
$DAEMON $SURICATA_OPTIONS > /var/log/suricata/suricata-start.log 2>&1 &
echo " done."
;;
stop)
echo -n "Stopping suricata: "
if [ -f $PIDFILE ]; then
PID2=`cat $PIDFILE`
else
echo " No PID file found; not running?"
exit 0;
fi
start-stop-daemon --oknodo --stop --quiet --pidfile=$PIDFILE --exec $DAEMON
if [ -n "$PID2" ]; then
kill "$PID2"
ret=$?
sleep 2
if kill -0 "$PID2" 2>/dev/null; then
ret=$?
echo -n "Waiting . "
cnt=0
while kill -0 "$PID2" 2>/dev/null; do
ret=$?
cnt=`expr "$cnt" + 1`
if [ "$cnt" -gt 10 ]; then
kill -9 "$PID2"
break
fi
sleep 2
echo -n ". "
done
fi
fi
if [ -e $PIDFILE ]; then
rm $PIDFILE > /dev/null 2>&1
fi
echo " done."
;;
status)
# Check if running...
if [ -s $PIDFILE ]; then
PID3=`cat $PIDFILE`
if kill -0 "$PID3" 2>/dev/null; then
echo "$NAME is running with PID $PID3"
exit 0
else
echo "PID file $PIDFILE exists, but process not running!"
fi
else
echo "$NAME not running!"
fi
;;
restart)
$0 stop
$0 start
;;
force-reload)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
|
