4. Start and stop Suricata from shell? and alerting when suricata not running

Start and stop Suricata from shell? and alerting when suricata not running

  • J

    Is it possible to start and stop Suricata from the shell?

    If so I'd prefer to do so for individual interfaces (like clicking to start or stop the individual interface on suricata_interfaces.php), but if that isn't possible starting/stopping/restarting the service via status_services.php would also be helpful.

    I imagine if there isn't a way to do it out of the box, it may be possible to do with a small php script, unfortunately I don't know my way around PHP very well.

    The reason I ask is that occasionally I find that Suricata isn't running when it should be (this is less of a problem with Suricata than when I used to run Snort, but it does still happen from time to time) so I wrote the following shell script to email me so I can at least manually start it, but I'd like to have the script try to start Suricata, wait, and then notify if necessary.

    (And if anyone has already solved this problem, or has any other tips, I'd love to hear them)

    #!/bin/tcsh

#set number of expected Suricata processes that should be running based on the number of interfaces running Suricata
set expected=2

#check number of Suricata processes that are running
set actual=`ps aux | pgrep suricata | wc -l`

#if the above numbers don't match, send email to notification address
if ($expected != $actual) then
#      if possible restart Suricata service, check again and only email if still not running properly
	echo "Expected $expected Suricata processes, but $actual running, please login and verify" | mail.php -s"Possible IPS Process Failure"
	exit 1
endif

    and then I used the cron package to run this a few times a day.

    This seems to be working well enough, but it would be nice to have the script attempt to get things working on its own.

    0
  • P
    Banned

    Have you tried the service watchdog package?

    It sounds like it is written to do exactly what you want.

    EDIT: Maybe not exactly what you want, it doesn't work on a per interface basis. I don't know if it will work for you but it should if your system keeps marking the suricata service as down for some reason.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy