[Oisf-users] Suricata IPS with named - Please suggest use case

James Moe jimoe at sohnen-moe.com
Thu Dec 28 22:56:43 UTC 2017 

On 12/28/2017 08:06 AM, Blason R wrote:
>
> Thanks for idea need to work out on this. Any reference document would
> really appreciate.
> 
  Here is the script I use to control Suricata. The mailer's line wrap
function will probably mess with things a bit. The GO_IPS was usefull at
first to debug Suricata; not so much now.

#!/bin/sh
#
# Filename: suricata-ctl.sh -- Launches/stops suricata
#
SURI="/usr/local/bin/suricata";
LOG="/d500g/var/log/suricata";
PID="/d500g/var/run/suricata.pid";

OPT1="-c /usr/local/etc/suricata/suricata.yaml";
OPT2="--pidfile ${PID}";
OPT3="-v";

GO_IPS=1;
Q_INP="INPUT  -j NFQUEUE --queue-bypass";
Q_OUT="OUTPUT -j NFQUEUE --queue-bypass";

ETHTOOL="/usr/sbin/ethtool";
IPTABLES="/usr/sbin/iptables"

if [ 0 -eq $GO_IPS ]
then
    # if monitor only mode:
    OPT4="-i eth0";   # Run in PCAP mode
else
    # if NFQ mode:
    OPT4="-q 0";        # Run in NFQ mode using queue 0
fi

suri_start () {
    CMD="${SURI} ${OPT3} ${OPT2} ${OPT1} ${OPT4}"

    $ETHTOOL --features eth0 rx off
    $ETHTOOL --features eth0 gro off
    $ETHTOOL --offload eth0 rx off tx off

    # Set up the input and output queues if IPS mode.
    #
    if [ 0 -ne $GO_IPS ]
    then
        echo "iptables -I ${Q_INP}; iptables -I ${Q_OUT}"
        $IPTABLES -I ${Q_INP}
        $IPTABLES -I ${Q_OUT}
        $IPTABLES -S INPUT
        $IPTABLES -S OUTPUT

    fi

    # rm ${LOG}/unified*
    rm ${PID}
    ${CMD} > ${LOG}/verbose.log &
    echo ${CMD}
    echo "Return value [$?]";
    echo `ls -l ${LOG}/oinkmaster.log`
}

suri_stop () {
    CMD="No PID found";
    if [ -f ${PID} ]
    then
        CMD="/usr/bin/kill -TERM $(cat ${PID})"
        ${CMD}
        rm ${PID}
    fi
    echo ${CMD}

    if [ 0 -ne $GO_IPS ]
    then
    echo "iptables -D ${Q_INP}; iptables -D ${Q_OUT}"
        $IPTABLES -D ${Q_INP}
        $IPTABLES -D ${Q_OUT}
    fi
}

case $1 in
    start)
	suri_start
	;;
    restart)
        suri_stop
        sleep 3
        suri_start
        ;;
    stop) suri_stop
        ;;
    reload)
        if [ -f ${PID} ]
        then
            CMD="kill -USR2 `cat ${PID}`"
            ${CMD}
            echo $CMD
        fi
        ;;
    relog)
        if [ -f ${PID} ]
        then
            CMD="kill -HUP `cat ${PID}`"
            ${CMD}
            echo $CMD
        fi
        ;;

    rules) CMD="/usr/local/bin/oinkmaster.pl -C
/usr/local/etc/oinkmaster.conf -o /usr/local/etc/suricata/rules"
        ${CMD} > "${LOG}/oinkmaster.log" 2>&1
        ;;

    status | show)
        ${SURI} -V

        CMD="[No PID found]";
        if [ -f ${PID} ]
        then
            CMD="Running. PID [$(cat ${PID})]"
        fi
        $IPTABLES -S INPUT | grep NFQUEUE
        $IPTABLES -S OUTPUT | grep NFQUEUE
        echo ${CMD}
        ;;

    *) echo "Usage: suricata-ctl.sh {start | restart | stop | reload |
relog | rules | status}"
       ;;
esac

#
# ____[ end ]____
#


-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171228/2a785b37/attachment-0002.sig>

More information about the Oisf-users mailing list