#!/bin/sh -e # ### BEGIN INIT INFO # Provides: suricata # Required-Start: $time $network $local_fs $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Next Generation IDS/IPS # Description: Intrusion detection system that will # capture traffic from the network cards and will # match against a set of known attacks. ### END INIT INFO # Source function library. . /lib/lsb/init-functions if test -f /etc/default/suricata; then . /etc/default/suricata else echo "/etc/default/suricata is missing... bailing out!" >&2 exit 1 fi # We'll add up all the options above and use them NAME=suricata DAEMON=/usr/bin/$NAME # Use this if you want the user to explicitly set 'RUN' in # /etc/default/ if [ "x$RUN" != "xyes" ] ; then log_failure_msg "$NAME disabled, please adjust the configuration to your needs " log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it." exit 0 fi check_root() { if [ "$(id -u)" != "0" ]; then log_failure_msg "You must be root to start, stop or restart $NAME." exit 4 fi } check_nfqueue() { if [ ! \( -e /proc/net/netfilter/nfnetlink_queue -o -e /proc/net/netfilter/nf_queue \) ]; then log_warning_msg "NFQUEUE support not found !" log_warning_msg "Please ensure the nfnetlink_queue module is loaded or built in kernel" fi } check_run_dir() { if [ ! -d /var/run/suricata ]; then mkdir /var/run/suricata chmod 0755 /var/run/suricata fi } load_libtcmalloc_minimal() { lib="/usr/lib/libtcmalloc_minimal.so.4" if [ -f "$lib" ] && [ "x$TCMALLOC" = "xYES" ]; then export LD_PRELOAD="$lib" fi } check_root case "$LISTENMODE" in nfqueue) IDMODE="IPS (nfqueue)" LISTEN_OPTIONS=" -q $NFQUEUE" check_nfqueue ;; pcap) IDMODE="IDS (pcap)" LISTEN_OPTIONS=" -i $IFACE" ;; af-packet) IDMODE="IDS (af-packet)" LISTEN_OPTIONS=" --af-packet" ;; *) echo "Unsupported listen mode $LISTENMODE, aborting" exit 1 ;; esac SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D" # See how we were called. case "$1" in start) if [ -f $PIDFILE ]; then PID1=$(cat $PIDFILE) if kill -0 "$PID1" 2>/dev/null; then echo "$NAME is already running with PID $PID1" exit 0 fi fi check_run_dir echo -n "Starting suricata in $IDMODE mode..." load_libtcmalloc_minimal $DAEMON $SURICATA_OPTIONS > /var/log/suricata/suricata-start.log 2>&1 & echo " done." ;; stop) echo -n "Stopping suricata: " if [ -f $PIDFILE ]; then PID2=$(cat $PIDFILE) else echo " No PID file found; not running?" exit 0; fi start-stop-daemon --oknodo --stop --quiet --pidfile=$PIDFILE --exec $DAEMON if [ -n "$PID2" ]; then kill "$PID2" ret=$? sleep 2 if kill -0 "$PID2" 2>/dev/null; then ret=$? echo -n "Waiting . " cnt=0 while kill -0 "$PID2" 2>/dev/null; do ret=$? cnt=$(expr "$cnt" + 1) if [ "$cnt" -gt 10 ]; then kill -9 "$PID2" break fi sleep 2 echo -n ". " done fi fi if [ -e $PIDFILE ]; then rm $PIDFILE > /dev/null 2>&1 fi echo " done." ;; status) # Check if running... if [ -s $PIDFILE ]; then PID3=$(cat $PIDFILE) if kill -0 "$PID3" 2>/dev/null; then echo "$NAME is running with PID $PID3" exit 0 else echo "PID file $PIDFILE exists, but process not running!" fi else echo "$NAME not running!" fi ;; restart) $0 stop $0 start ;; force-reload) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac exit 0