■Squeezeでsuricataのサービス化
　Debian Squeezeのsuricata Ver1.0.1にはinitスクリプトが用意されていない。

　SqueezeにSuricataを導入
　http://d.hatena.ne.jp/labunix/20121225

$ suricata -V | grep ^This
This is Suricata version 1.0.1
$ dpkg -L suricata | grep init.d || echo "Not Found init.d script"
Not Found init.d script

■Ubuntuの「suricata_1.0.4」にはあるようだ。

$ mkdir suricata_ubuntu
$ cd suricata_ubuntu/
$ wget http://archive.ubuntu.com/ubuntu/pool/universe/s/suricata/suricata_1.0.4-1_amd64.deb
$ dpkg -I suricata_1.0.4-1_amd64.deb | grep Maint
 Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
 Original-Maintainer: Pierre Chifflier <pollux@debian.org>

■LSB-tagをまた書かなくて済む。
　※Snortの流用でも出来るが、SnortはSnortでスクリプト内での分岐が多い。

$ grep BEGIN -A 10 /etc/init.d/suricata
### BEGIN INIT INFO
# Provides:          suricata
# Required-Start:    $time $network $local_fs $remote_fs
# Required-Stop:     $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Next Generation IDS/IPS
# Description:       Intrusion detection system that will
#                    capture traffic from the network cards and will
#                    match against a set of known attacks.
### END INIT INFO

■debパッケージからファイルの取り出し

$ apropos ^ar\$
ar (1)               - 書庫の作成、変更、および書庫からのフ...
$ ar -t suricata_1.0.4-1_amd64.deb
debian-binary
control.tar.gz
$ ar -x suricata_1.0.4-1_amd64.deb
$ tar ztvf data.tar.gz | grep init
drwxr-xr-x root/root         0 2011-06-26 04:42 ./etc/init.d/
-rwxr-xr-x root/root      3988 2010-12-20 01:06 ./etc/init.d/suricata

data.tar.gz

■tar.gzからファイルの取り出し

$ gunzip -c data.tar.gz | tar xvf - ./etc/init.d/suricata
./etc/init.d/suricata

■initスクリプトのチェック。

$ sudo cp ./etc/init.d/suricata /etc/init.d/
$ sudo ls -l /etc/init.d/suricata | cut -c -10
-rwxr-xr-x

$ sudo /bin/bash -xv /etc/init.d/suricata 2> /dev/null
/etc/default/suricata is missing... bailing out!
suricata disabled, please adjust the configuration to your needs ... failed!
and then set RUN to 'yes' in /etc/default/suricata to enable it. ... failed!

■「/etc/default/suricata」の取り出し。

$ gunzip -c data.tar.gz | tar xvf - ./etc/default/suricata
$ sudo cp ./etc/default/suricata /etc/default

■監視するNICを編集するなりして、「RUN=yes」にする。

$ grep "RUN\|eth" /etc/default/suricata
RUN=no
IFACE=eth0
$ sudo sed -i s/"RUN=no"/"RUN=yes"/ /etc/default/suricata

$ sudo sed -i s/"IFACE=eth0"/"IFACE=eth1"/ /etc/default/suricata

$ sudo /bin/bash -xv /etc/init.d/suricata 2> /dev/null
Usage: /etc/init.d/suricata {start|stop|restart|status}

■start/stop/restart/status

$ sudo /bin/bash /etc/init.d/suricata start
Starting suricata in IPS (nfqueue) mode... done.
$ sudo /bin/bash /etc/init.d/suricata status
suricata is running with PID 8043

$ sudo /bin/bash /etc/init.d/suricata stop
Stopping suricata:  done.
$ sudo /bin/bash /etc/init.d/suricata status
suricata not running!

$ sudo /bin/bash /etc/init.d/suricata restart
Stopping suricata:  No PID file found; not running?
Starting suricata in IPS (nfqueue) mode... done.

■プロセスの確認。「-i eth1」が無い。。。

$ ps -ef | grep suricata | grep -v grep | sed s/"   *"/"\,"/g | sed s%/usr%"\n&"%
root,8227,1 95 21:39 ?,00:00:01
/usr/bin/suricata -c /etc/suricata/suricata-debian.yaml --pidfile /var/run/suricata.pid -q 0 -D

■「nfqueue」から「pcap」モードに変更

$ sudo grep LIST /etc/default/suricata
LISTENMODE=nfqueue
$ sudo sed -i s/"LISTENMODE=nfqueue"/"LISTENMODE=pcap"/ /etc/default/suricata

$ grep -A 8 ' nfqueue)' /etc/init.d/suricata
  nfqueue)
    IDMODE="IPS (nfqueue)"
    LISTEN_OPTIONS=" -q $NFQUEUE"
    check_nfqueue
    ;;
  pcap)
    IDMODE="IDS (pcap)"
    LISTEN_OPTIONS=" -i $IFACE"
    ;;

$ sudo /etc/init.d/suricata restart
Stopping suricata: Waiting . . . . . . . . . . 

■while文の「. . . 」がstart時と異なるのと、最後が改行されないのが気持ち悪いので修正。

$ sudo grep -A 10 while /etc/init.d/suricata
               while kill -0 "$PID2" 2>/dev/null; do
                   ret=$?
                   cnt=`expr "$cnt" + 1`
                   if [ "$cnt" -gt 10 ]; then
                      kill -9 "$PID2"
                      break
                   fi
                   sleep 2
                   echo -n "."
               done
               echo "done"

$ ps -ef | grep suricata | grep -v grep | sed s%/usr%"\n&"%
root      3798     1 15 22:06 ?        00:00:20
/usr/bin/suricata -c /etc/suricata/suricata-debian.yaml --pidfile /var/run/suricata.pid -i eth1 -D
$ cat /var/run/suricata.pid
3798

$ sudo /bin/bash -x /etc/init.d/suricata restart | tail -5
+ /etc/init.d/suricata stop
Stopping suricata: Waiting ..done
+ /etc/init.d/suricata start
Starting suricata in IDS (pcap) mode... done.
+ exit 0

$ sudo tail -f /var/log/suricata/stats.log | grep -v "| 0\$"
decoder.max_pkt_size      | Decode & Stream           | 90
-------------------------------------------------------------------
26/12/2012 -- 22:20:24
-------------------------------------------------------------------
Counter                   | TM Name                   | Value
-------------------------------------------------------------------
decoder.pkts              | Decode & Stream           | 28
decoder.bytes             | Decode & Stream           | 1788
decoder.ipv4              | Decode & Stream           | 6
decoder.ethernet          | Decode & Stream           | 28
decoder.udp               | Decode & Stream           | 6
decoder.avg_pkt_size      | Decode & Stream           | 63.857143
decoder.max_pkt_size      | Decode & Stream           | 90
-------------------------------------------------------------------

■再起動時にも有効にする

$ sudo chkconfig --list suricata
suricata                  0:off  1:off  2:off  3:off  4:off  5:off  6:off
$ sudo chkconfig suricata on
$ sudo chkconfig --list suricata
suricata                  0:off  1:off  2:on   3:on   4:on   5:on   6:off