Skip to main content

Suricata Supervision

The sensor runs and manages a local Suricata instance rather than assuming one is already present. This is handled by internal/launcher, internal/supervisor, and internal/suricata.

Launcher auto-detection

launcher.Detect() selects how Suricata is run:

  1. RAVENXCOPE_LAUNCHER env var, if set (docker or systemd).
  2. Docker — if /var/run/docker.sock exists.
  3. systemd — if systemctl is available.
  4. Otherwise — error (no usable launcher found: install Docker or run on a systemd host). In bridge-only deployments the sensor relays alerts without launching Suricata itself.

Both launchers implement the same Launcher interface: Start(ctx, spec) configures Suricata via environment and writes eve.json into the socket directory; the sensor's socket_reader then consumes it.

Suricata image & rules

  • The Docker launcher runs the ravenxcope-suricata-image, selecting IDS or IPS mode and the capture interface.
  • internal/launcher/community_rules.go can run a helper container to fetch community rules.
  • Custom rules served by the backend (Suricata rules catalog) are merged into the running ruleset.

Supervisor & control

internal/control.NatsClient receives backend commands and forwards them to the supervisor (SetHandler(sup.Handle)); the supervisor drives the launcher and publishes status back over NATS (PublishStatus). All of this is control plane — alert data never travels over NATS.