summaryrefslogtreecommitdiff
blob: 76dd521d7adaa674869e8209ecf62306a2b99110 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/sbin/openrc-run
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

SURICATA_BIN=/usr/bin/suricata
SURICATA_DIR=${SURICATA_DIR:-/etc/suricata}
SURICATA=${SVCNAME#*.}
SURICATAID=$(shell_var "${SURICATA}")
if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then
    eval SURICATACONF=\$SURICATA_CONF_${SURICATAID}
    [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata-${SURICATA}.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
    SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid"
    eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID}
    eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID}
    eval SURICATAUSER=\$SURICATA_USER_${SURICATAID}
    eval SURICATAGROUP=\$SURICATA_GROUP_${SURICATAID}
else
    SURICATACONF=${SURICATA_CONF}
    [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
    SURICATAPID="/var/run/suricata/suricata.pid"
    SURICATAOPTS=${SURICATA_OPTS}
    SURICATALOGPATH=${SURICATA_LOG_FILE}
    SURICATAUSER=${SURICATA_USER}
    SURICATAGROUP=${SURICATA_GROUP}
fi
SURICATAUSER=${SURICATAUSER:-${SURICATA_USER}}
SURICATAGROUP=${SURICATAGROUP:-${SURICATA_GROUP}}
[ -e ${SURICATACONF} ] && SURICATAOPTS="-c ${SURICATACONF} ${SURICATAOPTS}"
[[ -z "${SURICATA_MAX_WAIT_ON_STOP// }" ]] || SURICATA_RETRY="--retry ${SURICATA_MAX_WAIT_ON_STOP}"

description="Suricata IDS/IPS"
extra_commands="checkconfig dump"
description_checkconfig="Check config for ${SVCNAME}"
description_dump="List all config values that can be used with --set"
extra_started_commands="reload relog"
description_reload="Live rule and config reload"
description_relog="Close and re-open all log files"

depend() {
	need net
	after mysql
	after postgresql
}

checkconfig() {
	if [ ! -d "/var/run/suricata" ] ; then
		checkpath -d /var/run/suricata
	fi
	if [ ${#SURICATALOGPATH} -gt 0 ]; then
		SURICATALOGFILE=$( basename ${SURICATALOGPATH} )
		SURICATALOGFILE=${SURICATALOGFILE:-suricata.log}
		SURICATALOGPATH=$( dirname ${SURICATALOGPATH} )
		if [ ! -d "${SURICATALOGPATH}" ] ; then
			checkpath -d "${SURICATALOGPATH}"
		fi
		if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ] && [ -e "${SURICATALOGPATH}" ]; then
			chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}" || return 1
			chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}"/* >/dev/null 2>&1 3>&1
		fi
		SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}"
		SURICATALOGPATH="-l ${SURICATALOGPATH}"
	fi
	if [ ! -e ${SURICATACONF} ] ; then
		einfo "The configuration file ${SURICATACONF} was not found."
		einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata."
		einfo "Take a look at the suricata arguments --set and --dump-config."
	fi
	if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
		einfo "${SVCNAME} will run as user ${SURICATAUSER}:${SURICATAGROUP}."
		SURICATAOPTS="${SURICATAOPTS} --user=${SURICATAUSER} --group=${SURICATAGROUP}"
	fi
}

initpidinfo() {
	[ -e ${SURICATAPID} ] && SUR_PID="$(cat ${SURICATAPID})"
	if [ ${#SUR_PID} -gt 0 ]; then
	    SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})"
	    SUR_USER="$(ps -p ${SUR_PID} --no-headers -o user)"
	fi
}

checkpidinfo() {
	initpidinfo
        if [ ! -e ${SURICATAPID} ]; then
        	eerror "${SVCNAME} isn't running"
                return 1
	elif [ ${#SUR_PID} -eq 0 ] || [ $((SUR_PID_CHECK)) -ne 1 ]; then
		eerror "Could not determine PID of ${SVCNAME}! Did the service crash?"
		return 1
	elif [ ${#SUR_USER} -eq 0 ]; then
		eerror "Unable to determine user running ${SVCNAME}!"
		return 1
	elif [ "x${SUR_USER}" != "xroot" ]; then
		ewarn "${SVCNAME} may need to be running as root or as a priviledged user for the extra commands reload and relog to work."
        fi
}

start() {
	checkconfig || return 1
	ebegin "Starting ${SVCNAME}"
	start-stop-daemon --start --quiet --exec ${SURICATA_BIN} \
		-- --pidfile ${SURICATAPID} -D ${SURICATAOPTS} ${SURICATALOGPATH} >/dev/null 2>&1
	local SUR_EXIT=$?
	if [ $((SUR_EXIT)) -ne 0 ]; then
	    einfo "Could not start ${SURICATA_BIN} with:"
	    einfo "--pidfile ${SURICATAPID} -D ${SURICATAOPTS} ${SURICATALOGPATH}"
	    einfo "Exit code ${SUR_EXIT}"
	fi
	eend ${SUR_EXIT}
}

stop() {
	ebegin "Stopping ${SVCNAME}"
	start-stop-daemon --stop ${SURICATA_RETRY} --quiet --pidfile ${SURICATAPID} >/dev/null 2>&1
	eend $?
}

reload() {
	checkpidinfo || return 1
	checkconfig || return 1
	ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and config reload."
	if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
		start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal USR2 --pidfile ${SURICATAPID}
	else
		start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
	fi
	eend $?
}

relog() {
	checkpidinfo || return 1
	checkconfig || return 1
	ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log files."
	if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
		start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal HUP --pidfile ${SURICATAPID}
	else
		start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
	fi
	eend $?
}

dump() {
	checkconfig || return 1
	ebegin "Dumping ${SVCNAME} config values and quitting."
	${SURICATA_BIN} --dump-config --pidfile ${SURICATAPID} ${SURICATAOPTS} ${SURICATALOGPATH}
	eend $?
}