Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Start and stop Suricata from shell? and alerting when suricata not running

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffhammett
      last edited by

      Is it possible to start and stop Suricata from the shell?

      If so I'd prefer to do so for individual interfaces (like clicking to start or stop the individual interface on suricata_interfaces.php), but if that isn't possible starting/stopping/restarting the service via status_services.php would also be helpful.

      I imagine if there isn't a way to do it out of the box, it may be possible to do with a small php script, unfortunately I don't know my way around PHP very well.

      The reason I ask is that occasionally I find that Suricata isn't running when it should be (this is less of a problem with Suricata than when I used to run Snort, but it does still happen from time to time) so I wrote the following shell script to email me so I can at least manually start it, but I'd like to have the script try to start Suricata, wait, and then notify if necessary.

      (And if anyone has already solved this problem, or has any other tips, I'd love to hear them)

      #!/bin/tcsh
      
      #set number of expected Suricata processes that should be running based on the number of interfaces running Suricata
      set expected=2
      
      #check number of Suricata processes that are running
      set actual=`ps aux | pgrep suricata | wc -l`
      
      #if the above numbers don't match, send email to notification address
      if ($expected != $actual) then
      #      if possible restart Suricata service, check again and only email if still not running properly
      	echo "Expected $expected Suricata processes, but $actual running, please login and verify" | mail.php -s"Possible IPS Process Failure"
      	exit 1
      endif
      

      and then I used the cron package to run this a few times a day.

      This seems to be working well enough, but it would be nice to have the script attempt to get things working on its own.

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned
        last edited by

        Have you tried the service watchdog package?

        It sounds like it is written to do exactly what you want.

        EDIT: Maybe not exactly what you want, it doesn't work on a per interface basis. I don't know if it will work for you but it should if your system keeps marking the suricata service as down for some reason.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.