Start and stop Suricata from shell? and alerting when suricata not running
-
Is it possible to start and stop Suricata from the shell?
If so I'd prefer to do so for individual interfaces (like clicking to start or stop the individual interface on suricata_interfaces.php), but if that isn't possible starting/stopping/restarting the service via status_services.php would also be helpful.
I imagine if there isn't a way to do it out of the box, it may be possible to do with a small php script, unfortunately I don't know my way around PHP very well.
The reason I ask is that occasionally I find that Suricata isn't running when it should be (this is less of a problem with Suricata than when I used to run Snort, but it does still happen from time to time) so I wrote the following shell script to email me so I can at least manually start it, but I'd like to have the script try to start Suricata, wait, and then notify if necessary.
(And if anyone has already solved this problem, or has any other tips, I'd love to hear them)
#!/bin/tcsh #set number of expected Suricata processes that should be running based on the number of interfaces running Suricata set expected=2 #check number of Suricata processes that are running set actual=`ps aux | pgrep suricata | wc -l` #if the above numbers don't match, send email to notification address if ($expected != $actual) then # if possible restart Suricata service, check again and only email if still not running properly echo "Expected $expected Suricata processes, but $actual running, please login and verify" | mail.php -s"Possible IPS Process Failure" exit 1 endif
and then I used the cron package to run this a few times a day.
This seems to be working well enough, but it would be nice to have the script attempt to get things working on its own.
-
Have you tried the service watchdog package?
It sounds like it is written to do exactly what you want.
EDIT: Maybe not exactly what you want, it doesn't work on a per interface basis. I don't know if it will work for you but it should if your system keeps marking the suricata service as down for some reason.