[Oisf-users] issues with init script for Ubuntu 12.10
Eric Leblond
eric at regit.org
Thu Apr 25 19:06:45 UTC 2013
Hi,
On Tue, 2013-04-23 at 22:54 -0500, David Delorme wrote:
> I am having an issue with this script if i use the start part. It locks
> me out from my local network to the server. and i have to issue the same
> iptables command from the server it works.???? i am a little stumped.
>
> > #! /bin/sh
> > #set -x
> > #
> > ### BEGIN INIT INFO
> > # Provides: suricatabarn
> > # Required-Start: $remote_fs $syslog mysql
> > # Required-Stop: $remote_fs $syslog
> > # Default-Start: 2 3 4 5
> > # Default-Stop: 0 1 6
> > # X-Interactive: true
> > # Short-Description:Start Suricata and Barnyard2
> > ### END INIT INFO
> > . /lib/init/vars.sh
> > . /lib/lsb/init-functions
> > do_start()
> > {
> > log_daemon_msg "Starting Suricatia and Barnyard" ""
> > #/sbin/ifconfig p4p1 up
> > /usr/bin/suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3 &
Suricata can take long to start due to signature optimisation. It may
explain you get block for something like 30sec.
To speed up packet accept, you can use delayed detect: the IPS will
route packet before making signature tree computation.
To do so put in you YAML:
detect-engine:
- delayed-detect: yes
BR,
> > /usr/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d
> > /var/log/suricata -f unified2.alert -w
> > /var/log/suricata/suricata.waldo -D &
> > /sbin/iptables -A INPUT -j NFQUEUE --queue-balance 0:3
> > /sbin/iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3
> > log_end_msg 0
> > return 0
> > }
> > do_stop()
> > {
> > log_daemon_msg "Removing Chains aka Django" ""
> > /sbin/iptables -D INPUT -j NFQUEUE --queue-balance 0:3
> > /sbin/iptables -D OUTPUT -j NFQUEUE --queue-balance 0:3
> > log_daemon_msg "Stopping Suricata and Barnyard" ""
> > kill $(pidof suricata) 2> /dev/null
> > kill $(pidof barnyard2) 2> /dev/null
> > log_end_msg 0
> > return 0
> > }
> > do_restart()
> > {
> > log_daemon_msg "restarting Suricata and Barnyard" ""
> > kill $(pidof suricata) 2> /dev/null
> > kill $(pidof barnyard2) 2> /dev/null
> > /usr/bin/suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3 &
> > /usr/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d
> > /var/log/suricata -f unified2.alert -w
> > /var/log/suricata/suricata.waldo -D &
> > log_end_msg 0
> > return 0
> > }
> > case "$1" in
> > start)
> > do_start
> > ;;
> > stop)
> > do_stop
> > ;;
> > restart)
> > do_restart
> > ;;
> > *)
> > echo "Usage: surciatabarn {start|stop|restart}" >&2
> > exit 3
> > ;;
> > esac
> > exit 0
>
> It is a crude hack of someone else script and i take no credit for it. I
> added the restart part because the start would hang my shell....
> Any hint would help
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
--
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/
More information about the Oisf-users
mailing list