opensourcemirror
/
ipfire-2.x
mirror of git://git.ipfire.org/ipfire-2.x.git
1
0
Fork 0
Code Issues Releases Wiki Activity
ipfire-2.x/src/initscripts/system/suricata

235 lines
6.3 KiB
Bash
Raw Blame History

#!/bin/sh
########################################################################
# Begin $rc_base/init.d/suricata
#
# Description : Suricata Initscript
#
# Author : Stefan Schantl <stefan.schantl@ipfire.org>
#
# Version : 01.03
#
# Notes :
#
########################################################################
. /etc/sysconfig/rc
. ${rc_functions}
PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
# Name of the firewall chains.
IPS_INPUT_CHAIN="IPS_INPUT"
IPS_FORWARD_CHAIN="IPS_FORWARD"
IPS_OUTPUT_CHAIN="IPS_OUTPUT"
# Optional options for the Netfilter queue.
NFQ_OPTS="--queue-bypass "
# Array containing the 4 possible network zones.
network_zones=( red green blue orange ovpn )
# Array to store the network zones weather the IPS is enabled for.
enabled_ips_zones=()
# Mark and Mask options.
MARK="0x70000000"
MASK="0x70000000"
# PID file of suricata.
PID_FILE="/var/run/suricata.pid"
# Function to get the amount of CPU cores of the system.
function get_cpu_count {
CPUCOUNT=0
# Loop through "/proc/cpuinfo" and count the amount of CPU cores.
while read line; do
[ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT++))
done </proc/cpuinfo
# Limit to a maximum of 16 cores, because suricata does not support more than
# 16 netfilter queues at the moment.
if [ $CPUCOUNT -gt "16" ]; then
echo "16"
else
echo $CPUCOUNT
fi
}
# Function to flush the firewall chains.
function flush_fw_chain {
# Call iptables and flush the chains
iptables -F "$IPS_INPUT_CHAIN"
iptables -F "$IPS_FORWARD_CHAIN"
iptables -F "$IPS_OUTPUT_CHAIN"
}
# Function to create the firewall rules to pass the traffic to suricata.
function generate_fw_rules {
cpu_count=$(get_cpu_count)
# Loop through the array of network zones.
for zone in "${network_zones[@]}"; do
# Convert zone into upper case.
zone_upper=${zone^^}
# Generate variable name for checking if the IDS is
# enabled on the zone.
enable_ids_zone="ENABLE_IDS_$zone_upper"
# Check if the IDS is enabled for this network zone.
if [ "${!enable_ids_zone}" == "on" ]; then
# Check if the current processed zone is "red" and the configured type is PPPoE dialin.
if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
# Set device name to ppp0.
network_device="ppp0"
elif [ "$zone" == "ovpn" ]; then
# Get all virtual net devices because the RW server and each
# N2N connection creates it's own tun device.
for virt_dev in /sys/devices/virtual/net/*; do
# Cut-off the directory.
dev="${virt_dev##*/}"
# Only process tun devices.
if [[ $dev =~ "tun" ]]; then
# Add the network device to the array of enabled zones.
enabled_ips_zones+=( "$dev" )
fi
done
# Process next zone.
continue
else
# Generate variable name which contains the device name.
zone_name="$zone_upper"
zone_name+="_DEV"
# Grab device name.
network_device=${!zone_name}
fi
# Add the network device to the array of enabled zones.
enabled_ips_zones+=( "$network_device" )
fi
done
# Assign NFQ_OPTS
NFQ_OPTIONS=$NFQ_OPTS
# Check if there are multiple cpu cores available.
if [ "$cpu_count" -gt "1" ]; then
# Balance beetween all queues.
NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))"
NFQ_OPTIONS+=" --queue-cpu-fanout"
else
# Send all packets to queue 0.
NFQ_OPTIONS+="--queue-num 0"
fi
# Flush the firewall chains.
flush_fw_chain
# Check if the array of enabled_ips_zones contains any elements.
if [[ ${enabled_ips_zones[@]} ]]; then
# Loop through the array and create firewall rules.
for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
# Create rules queue input and output related traffic and pass it to the IPS.
iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
# Create rules which are required to handle forwarded traffic.
for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
done
done
# Clear repeat bit, so that it does not confuse IPsec or QoS
iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
fi
}
case "$1" in
start)
# Get amount of CPU cores.
cpu_count=$(get_cpu_count)
# Numer of NFQUES.
NFQUEUES="-q 0"
if [ $cpu_count -gt "1" ]; then
NFQUEUES+=":$(($cpu_count-1))"
fi
# Check if the IDS should be started.
if [ "$ENABLE_IDS" == "on" ]; then
# Start the IDS.
boot_mesg "Starting Intrusion Detection System..."
/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null
evaluate_retval
# Allow reading the pidfile.
chmod 644 $PID_FILE
# Flush the firewall chain
flush_fw_chain
# Generate firewall rules
generate_fw_rules
fi
;;
stop)
boot_mesg "Stopping Intrusion Detection System..."
killproc -p $PID_FILE /var/run
# Flush firewall chain.
flush_fw_chain
# Sometimes suricata not correct shutdown. So killall.
killall -KILL /usr/bin/suricata 2>/dev/null
# Remove suricata control socket.
rm /var/run/suricata/* >/dev/null 2>/dev/null
# Trash remain pid file if still exists.
rm -f $PID_FILE >/dev/null 2>/dev/null
# Don't report returncode of rm if suricata was not started
exit 0
;;
status)
statusproc /usr/bin/suricata
;;
restart)
$0 stop
$0 start
;;
reload)
# Send SIGUSR2 to the suricata process to perform a reload
# of the ruleset.
kill -USR2 $(pidof suricata)
# Flush the firewall chain.
flush_fw_chain
# Generate firewall rules.
generate_fw_rules
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status}"
exit 1
;;
esac
chmod 644 /var/log/suricata/* 2>/dev/null
# End $rc_base/init.d/suricata
Reference in New Issue View Git Blame Copy Permalink