This patch adds a watcher process that will restart suricata when it is being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/rootfiles/common/suricata | 1 + config/suricata/suricata-watcher | 55 ++++++++++++++++++++++++++++++++ lfs/suricata | 3 ++ src/initscripts/system/suricata | 16 ++-------- 4 files changed, 61 insertions(+), 14 deletions(-) create mode 100644 config/suricata/suricata-watcher
diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 53224d006..8fe53f7e6 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -1,6 +1,7 @@ etc/suricata etc/suricata/suricata.yaml usr/bin/suricata +usr/bin/suricata-watcher usr/sbin/convert-ids-backend-files #usr/share/doc/suricata #usr/share/doc/suricata/AUTHORS diff --git a/config/suricata/suricata-watcher b/config/suricata/suricata-watcher new file mode 100644 index 000000000..a1a13d40c --- /dev/null +++ b/config/suricata/suricata-watcher @@ -0,0 +1,55 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A Linux-based Firewall # +# Copyright (C) 2024 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +PIDFILE="/var/run/suricata.pid" + +main() { + local ret + + while :; do + # Launch suricata + /usr/bin/suricata "$@" &>/dev/null + + # Wait until suricata is done + ret=$? + + case "${ret}" in + # If suricata has been killed by SIGKILL (e.g. by + # the OOM killer, or if it ran into a SEGV, we will + # restart the process. + 137|139) + # Remove the PID file + unlink "${PIDFILE}" 2>/dev/null + + sleep 1 + continue + ;; + + *) + break + ;; + esac + done + + return ${ret} +} + +main "$@" || return $? diff --git a/lfs/suricata b/lfs/suricata index 88f3c4575..dcee61ea1 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -132,5 +132,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install converter script needed for Core Update 167 install -m 0755 $(DIR_SRC)/config/suricata/convert-ids-backend-files /usr/sbin/convert-ids-backend-files
+ # Install the watcher + install -v -m 755 $(DIR_SRC)/config/suricata/suricata-watcher /usr/bin/suricata-watcher + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 20afab130..40bd69c87 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -123,12 +123,9 @@ case "$1" in if [ "$ENABLE_IDS" == "on" ]; then # Start the IDS. boot_mesg "Starting Intrusion Detection System..." - /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null + /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES evaluate_retval
- # Allow reading the pidfile. - chmod 644 $PID_FILE - # Flush the firewall chain flush_fw_chain
@@ -139,20 +136,11 @@ case "$1" in
stop) boot_mesg "Stopping Intrusion Detection System..." - killproc -p $PID_FILE /var/run + killproc /usr/bin/suricata
# Flush firewall chain. flush_fw_chain
- # Sometimes suricata not correct shutdown. So killall. - killall -KILL /usr/bin/suricata 2>/dev/null - - # Remove suricata control socket. - rm /var/run/suricata/* >/dev/null 2>/dev/null - - # Trash remain pid file if still exists. - rm -f $PID_FILE >/dev/null 2>/dev/null - # Don't report returncode of rm if suricata was not started exit 0 ;;