I have an issue with suricata. I don’t know why but the ips is stop randomly every 2 weeks or something like that. I don’t know what to do with it. Maybe somebody can point me to some verification that i can do to know from where the problem come from?
I cannot re-start it until i have re-booted the server. Using the web control does not work. Trying to stop/save/start/save neither.
Also i’m thinking of making a script to monitor the service status and send a mail when it go down to have more clues about the time it happen, could monitor the possible attack also…
I use ipfire as a home gateway, and i only have openvpn open as attack vector from the red i think…
This can be done (e.g.) with monit. You can install this addon through pakfire. I just sent the last update version to GIT. Working here. Doing its job.
To monitor the state of ‘suricata’ - and/or restart it if it has stopped - create a file with the following content, name it ‘suricata’ and place it in /etc/monit.d/:
# IPFire - monit control file - suricata
check process suricata with pidfile "/var/run/suricata.pid"
start program = "/etc/init.d/suricata start"
stop program = "/etc/init.d/suricata stop"
if not exist for 2 cycles then alert
if not exist for 3 cycles then restart
Don’t forget to adjust /etc/monitrc - e.g., the # mailserver-section:
# mailserver
set mailserver YOUR_ISP_MAILSERVER
port 587
username "YOUR_USERNAME"
password "MAIL_PASSWORD"
using auto
with timeout 45 seconds
This does not solve the main issue that is why suricata cease to function, but at least now thanks to you i have a failsafe in place to restart it when it go down. This will surely help too to know when it happen for the diagnostic of the problem.