Suricata

We are shifting away to mingw as it offers more benefits.
Can you please try the following guide below. It would also help as a feedback as I will be updating the docs on that end too.

1)
First install msys2 - 64bit
https://www.msys2.org/

2)
Update and install the deps:

After install use the Mingw64 (click on msys it will ask which one of the three environments to start) on start up to build Suricata
Choose Mingw64 then inside run the below pkg install commands.

pacman -Syuu

pacman -S --needed base-devel mingw-w64-x86_64-toolchain git subversion

pacman -S  mingw64/mingw-w64-x86_64-libtool mingw64/mingw-w64-x86_64-pcre \
mingw64/mingw-w64-x86_64-lua mingw64/mingw-w64-x86_64-geoip \
mingw64/mingw-w64-x86_64-luajit-git wget jansson  jansson-devel libpcre pcre pcre-devel gcc  gcc-libs  make autoconf \
autogen automake git libyaml libyaml-devel zlib zlib-devel pkg-config \
mingw64/mingw-w64-x86_64-nspr mingw64/mingw-w64-x86_64-nss mingw64/mingw-w64-x86_64-rust

3)
Download and unzip npcap-sdk (https://nmap.org/npcap/) in the proper folder so after words you could use something similar "--with-libpcap-includes=/npcap-sdk/Include --with-libpcap-libraries=/npcap-sdk/Lib/x64 "

Also install npcap as well - https://nmap.org/npcap/dist/npcap-0.992.exe

4)
If you are building the latest stable (if you want you can also do similar for 5.0beta1, just remove "--disable-rust" from the config line below):

wget https://www.openinfosecfoundation.org/download/suricata-4.1.4.tar.gz && \
tar -zxf suricata-4.1.4.tar.gz && cd suricata-4.1.4

./configure   \
--with-libpcap-includes=/npcap-sdk/Include --with-libpcap-libraries=/npcap-sdk/Lib/x64  \
--enable-lua --enable-geoip --disable-gccmarch-native --disable-rust \
&& make clean && make -j 2

Please let us know how it goes.

Hello, I have run the instructions up until step 4 and have an issue:

checking yaml.h usability... no
checking yaml.h presence... no
checking for yaml.h... no
checking for yaml_parser_initialize in -lyaml... no

ERROR!  libyaml library not found, go get it
   from http://pyyaml.org/wiki/LibYAML
   or your distribution:

Ubuntu: apt-get install libyaml-dev
   Fedora: dnf install libyaml-devel
   CentOS/RHEL: yum install libyaml-devel

I have ran the command in step 2 of course:
pacman -S mingw64/mingw-w64-x86_64-libtool mingw64/mingw-w64-x86_64-pcre \
mingw64/mingw-w64-x86_64-lua mingw64/mingw-w64-x86_64-geoip \
mingw64/mingw-w64-x86_64-luajit-git wget jansson jansson-devel libpcre pcre pcre-devel gcc gcc-libs make autoconf \
autogen automake git libyaml libyaml-devel zlib zlib-devel pkg-config \
mingw64/mingw-w64-x86_64-nspr mingw64/mingw-w64-x86_64-nss mingw64/mingw-w64-x86_64-rust

Which clearly has those libyaml packages; and reran those commands, and were just "reinstalled".

I tried to install yaml libraries separately via wget & configure make etc but other issues have appeared.

I have pasted the full log to this pastebin for brevity: https://pastebin.com/CC1vLZby

Specific errors I will copy to here:

checking for ./suricata-update/setup.py... yes

Warning: suricata-update will not be installed as the
        depedency python-yaml is not installed.

Debian/Ubuntu: apt install python-yaml
    Fedora: dnf install python-yaml
    CentOS/RHEL: yum install python-yaml

checking for magic.h... no

WARNING!  magic library not found, go get it
   from http://www.darwinsys.com/file/ or your distribution:

Ubuntu: apt-get install libmagic-dev
   Fedora: dnf install file-devel
   CentOS/RHEL: yum install file-devel

checking for LZ4F_createCompressionContext in -llz4... no

Compressed pcap logging is not available without liblz4.
  If you want to enable compression, you need to install it.

Ubuntu: apt-get install liblz4-dev
  Fedora: dnf install lz4-devel
  CentOS/RHEL: yum install epel-release
               yum install lz4-devel

libtool: warning: undefined symbols not allowed in x86_64-w64-mingw32 shared libraries; building static only

CC       util-debug-filters.o
util-debug.c:81:37: warning: initialization of 'pthread_mutex_t' {aka 'long long int'} from 'void *' makes integer from pointer without a cast [-Wint-conversion]
   81 | static SCMutex sc_log_stream_lock = NULL;
    |                                     ^~~~
util-debug.c: In function 'SCLogDeInitLogModule':
util-debug.c:1489:25: warning: comparison between pointer and integer
 1489 |  if (sc_log_stream_lock != NULL) {
    |                         ^~
util-debug.c:1491:22: warning: assignment to 'pthread_mutex_t' {aka 'long long int'} from 'void *' makes integer from pointer without a cast [-Wint-conversion]
 1491 |   sc_log_stream_lock = NULL;
    |                      ^
  CC       util-decode-asn1.o

CC       util-unittest.o
util-time.c: In function 'SCUtcTime':
util-time.c:222:12: error: implicit declaration of function 'gmtime_r'; did you mean 'gmtime_s'? [-Werror=implicit-function-declaration]
  222 |     return gmtime_r(&timep, result);
    |            ^~~~~~
    |            gmtime_s
util-time.c:222:12: warning: returning 'int' from a function with return type 'struct tm *' makes pointer from integer without a cast [-Wint-conversion]
  222 |     return gmtime_r(&timep, result);
    |            ^~~~~~~~~~~~~~~~~~~~~~
util-time.c: In function 'SCLocalTime':
util-time.c:305:9: error: implicit declaration of function 'localtime_r'; did you mean 'localtime_s'? [-Werror=implicit-function-declaration]
  305 |         localtime_r(&timep, &cached_local_tm[lru]);
    |         ^~~~~~~~~
    |         localtime_s
util-time.c:321:56: warning: comparison between pointer and integer
  321 |         if (localtime_r(&timep, &cached_local_tm[lru]) == NULL)
    |                                                        ^~
cc1.exe: some warnings being treated as errors
make[2]: * [Makefile:1779: util-time.o] Error 1
make[2]:  Waiting for unfinished jobs....
make[2]: Leaving directory '/home/BlayneBradleyDev/suricata-4.1.4/src'
make[1]:  [Makefile:499: all-recursive] Error 1
make[1]: Leaving directory '/home/BlayneBradleyDev/suricata-4.1.4'
make: * [Makefile:425: all] Error 2

Please advise as to my next step. I am trying to see if there's a way to install these libraries but either they are already installed (and the compilation is just ignoring them for some reason) or I can't find an obvious online repo.

Try installing -

 pacman -Sy mingw64/mingw-w64-x86_64-python3-yaml

After you have the exe apart from the suricata.yaml and rules you would also need to have the following DLLs in the Suri folder in order to start it:

libGeoIP-1.dll
libjansson-4.dll
liblz4.dll
liblzma-5.dll
libnspr4.dll
libpcre-1.dll
libplc4.dll
libplds4.dll
libwinpthread-1.dll
libyaml-0-2.dll
lua53.dll
msvcrt.dll
nss3.dll
nssutil3.dll
zlib1.dll

Peter Manev wrote:

After you have the exe apart from the suricata.yaml and rules you would also need to have the following DLLs in the Suri folder in order to start it:

[...]

Peter Manev wrote:

Try installing -
[...]
then rerun the compiling. I forgot to add that in.

Hello.I have similar problems with the build in Windows:

util-time.c: In function 'SCUtcTime':
util-time.c:222:12: error: implicit declaration of function 'gmtime_r'; did you mean 'gmtime_s'? [-Werror=implicit-function-declaration]
222 |     return gmtime_r(&timep, result);
|            ^~~~~~~~
|            gmtime_s
util-time.c:222:12: warning: returning 'int' from a function with return type 'struct tm *' makes pointer from integer without a cast [-Wint-conversion]
222 |     return gmtime_r(&timep, result);
|            ^~~~~~~~~~~~~~~~~~~~~~~~
util-time.c: In function 'SCLocalTime':
util-time.c:305:9: error: implicit declaration of function 'localtime_r'; did you mean 'localtime_s'? [-Werror=implicit-function-declaration]
305 |         localtime_r(&timep, &cached_local_tm[lru]);
|         ^~~~~~~~~~~
|         localtime_s
util-time.c:321:56: warning: comparison between pointer and integer
321 |         if (localtime_r(&timep, &cached_local_tm[lru]) == NULL)
|                                                        ^~
CC       util-unittest.o
cc1.exe: some warnings being treated as errors

UPD:
I have added in util-time.c:

#define _POSIX_C_SOURCE 200112L

Thank you.

Thank you for the feedback!
What windows version is that you are running? Do you have the same issue with 4.1.4 and 5.0beta1 ?
Was completely failing to compile before the fix for you ?

Forgot to mention as well if you would like - you could also try the ready to use MSI. Would appreciate much the feedback :) - https://www.openinfosecfoundation.org/download/windows/Suricata-4.1.3-1-64bit.msi you need to install npcap - https://nmap.org/npcap/dist/npcap-0.992.exe

Peter Manev wrote:

Thank you for the feedback!
What windows version is that you are running? Do you have the same issue with 4.1.4 and 5.0beta1 ?
Was completely failing to compile before the fix for you ?

Windows 10 x64. Suricata 4.1.4. Before this fix, I have run the instructions up until step 4 and have errors:

error: implicit declaration of function 'gmtime_r';

Ok - could you share your full config.log and full log of the run and errors on the screen ?

One more thing - it errs out and does not complete the run , right?

Hello again, I have attempted the suggestions.

pacman -Sy mingw64/mingw-w64-x86_64-python3-yaml

This gave me an error:

error: failed to commit transaction (conflicting files)
    mingw-w64-x86_64-libyaml: /mingw64/bin/libyaml-0-2.dll exists in filesystem
    mingw-w64-x86_64-libyaml: /mingw64/include/yaml.h exists in filesystem
    mingw-w64-x86_64-libyaml: /mingw64/lib/libyaml.a exists in filesystem
    mingw-w64-x86_64-libyaml: /mingw64/lib/libyaml.dll.a exists in filesystem
    mingw-w64-x86_64-libyaml: /mingw64/lib/pkgconfig/yaml-0.1.pc exists in filesystem
    Errors occurred, no packages were upgraded.

I used --overwrite to force it which seemed to install it, but the warnings still persist:

Warning: suricata-update will not be installed as the
        depedency python-yaml is not installed.

Debian/Ubuntu: apt install python-yaml
    Fedora: dnf install python-yaml
    CentOS/RHEL: yum install python-yaml

And:

WARNING!  magic library not found, go get it
   from http://www.darwinsys.com/file/ or your distribution:

Ubuntu: apt-get install libmagic-dev
   Fedora: dnf install file-devel
   CentOS/RHEL: yum install file-devel

And:

Compressed pcap logging is not available without liblz4.
  If you want to enable compression, you need to install it.

Ubuntu: apt-get install liblz4-dev
  Fedora: dnf install lz4-devel
  CentOS/RHEL: yum install epel-release
               yum install lz4-devel

I also attempted the change Andrey suggested:

#define _POSIX_C_SOURCE 200112L

I added it to line 59 to util-time.c after the #includes but the error persists:

util-time.c: In function 'SCUtcTime':
    util-time.c:224:12: error: implicit declaration of function 'gmtime_r'; did you mean 'gmtime_s'? [-Werror=implicit-function-declaration]
      224 |     return gmtime_r(&timep, result);
      |            ^~~~~~
      |            gmtime_s
    util-time.c:224:12: warning: returning 'int' from a function with return type 'struct tm *' makes pointer from integer without a cast [-Wint-conversion]
      224 |     return gmtime_r(&timep, result);
      |            ^~~~~~~~~~~~~~~~~~~~~~
    util-time.c: In function 'SCLocalTime':
    util-time.c:307:9: error: implicit declaration of function 'localtime_r'; did you mean 'localtime_s'? [-Werror=implicit-function-declaration]
      307 |         localtime_r(&timep, &cached_local_tm[lru]);
      |         ^~~~~~~~~
      |         localtime_s
    util-time.c:323:56: warning: comparison between pointer and integer
      323 |         if (localtime_r(&timep, &cached_local_tm[lru]) == NULL)
      |                                                        ^~

I am also on Windows 10 x64 (Home I think). I am actually doing this to try to figure out if there is a way to pursue options in extended or developing suricata for learning purposes on a windows development environment; preferably with an IDE like IntelliJ or Eclipse (Or even better Visual Studio); if there's advice on my broader goal I would appreciate it. Even on an Ubuntu environment this has been quite troublesome and I'd prefer not to edit individual files in notepad++.

@Bradley - you mwya want to try to do -

pacman -Syuu

then close the window and relaunch the mingw64 window again.
delete the untared sources you have and untar again suricata-4.1.4.tar.gz and start form scratch .

You could also just try the latest stable (4.1.4) or Beta (5.oBeta1) from the MSI here - https://suricata-ids.org/download/ (you just need to make sure you have npcap - https://nmap.org/npcap/dist/npcap-0.992.exe ). Thought I would mention it.

@Andrey - thank you for the info , will have a look and get back to you.

Yeah I did pacman -Syuu first way back at the beginning, and did it again:
$ pacman -Syuu
:: Synchronizing package databases...
mingw32 is up to date
mingw64 is up to date
msys is up to date
:: Starting core system upgrade...
there is nothing to do
:: Starting full system upgrade...
there is nothing to do

I'm compiling again, might try the beta next; probably will as I'm watching it compile and some of the same warnings about missing libraries (i.e z4) are still occurring. Some of these libraries seem like they just don't want to install.

Running the beta suricata I removed the rust component from the config:
$ ./configure --with-libpcap-includes=/npcap-sdk/Include --with-libpcap-libraries=/npcap-sdk/Lib/x64 --enable-lua --enable-geoip --disable-gccmarch-native && make clean && make -j 2

It error'd out much earlier:

checking jansson.h usability... no
    checking jansson.h presence... no
    checking for jansson.h... no
    checking for json_dump_callback in -ljansson... no

ERROR: Jansson is now required.

Go get it from your distribution or from:
      http://www.digip.org/jansson/

Ubuntu/Debian: apt install libjansson-dev
    CentOS: yum install jansson-devel
    Fedora: dnf install jansson-devel

Weirdly the stable release didn't have this issue.

Yes the newer release has an updated deps.
I think you could install the pkg like so (though these should be there already i think from the first run, a bit strange indeed) -

  pacman -S jansson  jansson-devel

pacman -S mingw64/mingw-w64-x86_64-jansson

Peter Manev wrote:

Yes the newer release has an updated deps.
I think you could install the pkg like so (though these should be there already i think from the first run, a bit strange indeed) -
[...]
If that does not do the trick you can try the following as well
[...]

I believe that worked to get past that error, I found it by using pacman -Ss to search for "jansson" and installed the missing one.

But that problem still persists for the following libraries and I have not been able to find them; here is the pastebin for the whole output now using the beta https://pastebin.com/Mu4KLgwH

And here are the notable errors:

checking magic.h usability... no
    checking magic.h presence... no
    checking for magic.h... no

WARNING!  magic library not found, go get it
   from http://www.darwinsys.com/file/ or your distribution:

Ubuntu: apt-get install libmagic-dev
   Fedora: dnf install file-devel
   CentOS/RHEL: yum install file-devel

And:

checking for getconf... /usr/bin/getconf
    checking for sphinx-build... no
    checking for pdflatex... no
    checking for rustc... /mingw64/bin/rustc
    checking for cargo... /mingw64/bin/cargo
    checking for ./rust/vendor... yes
    checking for cargo-vendor... no
      Warning: cargo-vendor not found, but it is only required
          for building the distribution
      To install: cargo install cargo-vendor
    checking for git... /usr/bin/git
    checking that generated files are newer than configure... done

And then this rust error:

Making all in rust
    make[2]: Entering directory '/home/BlayneBradleyDev/suricata-5.0.0-beta1/rust'
    cd ../rust && /mingw64/bin/python3 ./gen-c-headers.py
    cd ../rust && \
           CARGO_HOME=/home/BlayneBradleyDev/.cargo \
           CARGO_TARGET_DIR=/home/BlayneBradleyDev/suricata-5.0.0-beta1/rust/target \
           /mingw64/bin/cargo build --release --frozen \
                   --features "lua " 
    error: failed to load source for a dependency on `crc`

Caused by:
     Unable to update registry `https://github.com/rust-lang/crates.io-index`

Caused by:
     failed to update replaced source registry `https://github.com/rust-lang/crates.io-index`

Caused by:
     failed to read root of directory source: C:\home\BlayneBradleyDev\suricata-5.0.0-beta1\rust\vendor

Caused by:
     The system cannot find the path specified. (os error 3)
    make[2]: * [Makefile:533: all-local] Error 101
    make[2]: Leaving directory '/home/BlayneBradleyDev/suricata-5.0.0-beta1/rust'
    make[1]:  [Makefile:498: all-recursive] Error 1
    make[1]: Leaving directory '/home/BlayneBradleyDev/suricata-5.0.0-beta1'
    make: ** [Makefile:424: all] Error 2

ok - better but not yet.
Can you remove the "vendor" folder inside the "rust" folder and then redo the compile?

Peter Manev wrote:

ok - better but not yet.
Can you remove the "vendor" folder inside the "rust" folder and then redo the compile?

I get further but now back to the previous issue with "gmtime_r":

util-time.c: In function 'SCUtcTime':
    util-time.c:224:12: error: implicit declaration of function 'gmtime_r'; did you mean 'gmtime_s'? [-Werror=implicit-function-declaration]
      224 |     return gmtime_r(&timep, result);
      |            ^~~~~~
      |            gmtime_s
    util-time.c:224:12: warning: returning 'int' from a function with return type 'struct tm *' makes pointer from integer without a cast [-Wint-conversion]
      224 |     return gmtime_r(&timep, result);
      |            ^~~~~~~~~~~~~~~~~~~~~~
    util-time.c: In function 'SCLocalTime':
    util-time.c:307:9: error: implicit declaration of function 'localtime_r'; did you mean 'localtime_s'? [-Werror=implicit-function-declaration]
      307 |         localtime_r(&timep, &cached_local_tm[lru]);
      |         ^~~~~~~~~
      |         localtime_s
    util-time.c:323:56: warning: comparison between pointer and integer
      323 |         if (localtime_r(&timep, &cached_local_tm[lru]) == NULL)
      |                                                        ^~
    cc1.exe: some warnings being treated as errors
    make[2]: * [Makefile:1733: util-time.o] Error 1
    make[2]:  Waiting for unfinished jobs....
    make[2]: Leaving directory '/home/BlayneBradleyDev/suricata-5.0.0-beta1/src'
    make[1]:  [Makefile:498: all-recursive] Error 1
    make[1]: Leaving directory '/home/BlayneBradleyDev/suricata-5.0.0-beta1'
    make: * [Makefile:424: all] Error 2

This is with this line added to util-time.c:

#include "suricata-common.h" 
    #include "detect.h" 
    #include "threads.h" 
    #include "tm-threads.h" 
    #include "util-debug.h"

#define _POSIX_C_SOURCE 200112L

#ifdef UNITTESTS
    static struct timeval current_time = { 0, 0 };
    #endif
    //static SCMutex current_time_mutex = SCMUTEX_INITIALIZER;
    static SCSpinlock current_time_spinlock;
    static char live = TRUE;

struct tm *SCLocalTime(time_t timep, struct tm *result);
    struct tm *SCUtcTime(time_t timep, struct tm *result);

Peter Manev wrote:

Ok.
You could try just installing the MSI (link is present in one of my comments above) from the downloading page until i try to replicate exactly that err as i did a fresh clean install and could not replicate it.
What win OS exactly are you on ?
Also one thing i realized - in your Sys Environment variables do you have the path to msys's/bin/ folder - please see attached screenshot.

As I mentioned above, I am on Windows 10 x64 Pro* Edition (*Confirmed Pro).

Installing the MSI would not do me any good as the end goal is to develop suricata in a windows development environment. See my previous post:

I am actually doing this to try to figure out if there is a way to pursue options in extended or developing suricata for learning purposes on a windows development environment; preferably with an IDE like IntelliJ or Eclipse (Or even better Visual Studio); if there's advice on my broader goal I would appreciate it. Even on an Ubuntu environment this has been quite troublesome and I'd prefer not to edit individual files in notepad++.

I checked my environment variables and I did not see a reference pointing to where I installed msys2, so I added that, restarted the terminal and trying again, will keep you posted.

Same error, no luck.

Ok thank you for the feedback and help. I was asking abut exact version of OSes as I am not so familiar with Windows OS that much :) and suggesting the MSIs to get you faster up and running if needed, sorry for the noise.

I can reproduce that error report on Win 10 64 bit Enterprise.
I can not reproduce the same err on Windows 2016 Server 64 bit - it build/compiles fine. Could you confirm by any chance if it is building ok for you on 2016 Server? Exact same code/routine worked there for me. Not sure what exactly causes it not to build on Win 10, though i have a lot more win dev tools installed on the 2016 server.

I also noticed that some packages even though initially installed in Win 10/Msys upon closing the windows - still needed to be reinstalled to make those deps available for the build.

It's not exactly trivial to install a different OS, I think I might have a HyperV vm with windows server 2016 lying around somewhere and I try.

Which packages do you notice needing to be reinstalled? In my errors I reported above none of them I think resemble that sort of issue. There is currently one specific package that is missing (libmagic, google is not instructive, I only see people talking about 'python-magic' and imagemagick which don't appear to be the "file" command thingy). Beyond that the compilation errors imply to me some sort of fundamental issue, like build environment.

We have two functions, that according to the compiler are spelt wrong. gmtime_r and localtime_r and the compiler says it expects "_s" instead. Presumably this implies that there is some compiler setting that would accept _r; but currently it only accepts _s.

Now I am not too well versed into compiler errors, I just like to blindly change letters around until the red squiggly lines go away, but my best hypothesis here is that it's attempting to compile a linux convention sort of function but it's expecting a windows one instead.

https://stackoverflow.com/questions/19051762/difference-between-gmtime-r-and-gmtime-s

The difference is that gmtime_r(3) is a standard SUSv2 function. The closest you can find to gmtime_r() on a windows environment is gmtime_s(), which has its arguments reversed:

gmtime_r(const time_t*, struct tm*)
gmtime_s(struct tm*, const time_t*)
Basically, they both convert a time value to a tm structure. gmtime_r then return a pointer to this structure (or NULL if failed), whereas gmtime_s returns 0 if successful, and a errno_t in case of failure.

I wish Andrey kept posting because they might have found the solution:

Audrey wrote:

UPD:
I have added in util-time.c:
#define _POSIX_C_SOURCE 200112L
After this it compiles successfully

I would like to know precisely where am I supposed to put this line, because currently its currently location (just after the includes in utils-time.c) doesn't appear to work; but solved the exact same issue for Andrey.

Putting
[code]
#define _POSIX_C_SOURCE 200112L
[code]

BEFORE the includes like this:

[code]
#define _POSIX_C_SOURCE 200112L
#include "suricata-common.h"
#include "detect.h"
#include "threads.h"
#include "tm-threads.h"
#include "util-debug.h"
[/code]

In util-time.c fixed the issue after googling "_POSIX_C_SOURCE" to find an example. =/

The code now compiles. _*

Where can I find "msvcrt.dll"? All of the dll's aside from it and liblz4.dll were in the same folder; googling suggests I can also find msvcert.dll in the Windows folder and there are... Several... Can I use any of them?

I see someone encountered the same issue here: http://lists.openinfosecfoundation.org/pipermail/oisf-users/2019-May/016872.html

I was able to find wpcap.dll in my System32 folder, which is probably also something you might want to mention in your guide.

Ok
You need to specify the correct rule path location in suricata.yaml . You can get an ET Open ruleset from here for example - https://rules.emergingthreats.net/open/suricata-4.0/

If you need to provide a specific yaml config you can do it it like so :
suricata -vvv -c \path\to\suricata.yaml -i ip.ip.ip.ip

Or you can siecify it directly on the command line :
suricata -vvv -c \path\to\suricata.yaml -i ip.ip.ip.ip -S “\path\to\*.rules”

Uh, that is not my issue.

Peter Manev wrote:

Ok
You need to specify the correct rule path location in suricata.yaml . You can get an ET Open ruleset from here for example - https://rules.emergingthreats.net/open/suricata-4.0/

If you need to provide a specific yaml config you can do it it like so :
suricata -vvv -c \path\to\suricata.yaml -i ip.ip.ip.ip

Or you can siecify it directly on the command line :
suricata -vvv -c \path\to\suricata.yaml -i ip.ip.ip.ip -S “\path\to\*.rules”

My suricata.yaml file: ## ## Configure Suricata to load Suricata-Update managed rules. ## ## If this section is completely commented out move down to the "Advanced rule ## file configuration". ##

1. - suricata.rules
   - test.rules

1. Advanced rule file configuration. ##
2. If this section is completely commented out then your configuration
3. is setup for suricata-update as it was most likely bundled and
4. installed with Suricata. ##

#default-rule-path: C:\\Program Files (x86)\\Suricata\\rules

My command (my screenshot had -s signature.rules but it doesnt seem to matter if I omit it):
C:\Program Files (x86)\Suricata>suricata.exe -c suricata.yaml -i {myip}

As a result, "test.rules" doesn't get read; the issue is that it isn't reading ".rules" files at all, it isn't that it isn't finding the folder it is that it is reading the wrong filename extension on windows it is trying to find files ending with "*.rule" not "*.rules" and presumably it is supposed to find .rule*s* not ".rule".

If I change the file name to be test.rule instead of test.rules then it can load it.

If I attempt suricata -vvv -c suricata.yaml -i ip.ip.ip.ip” I get the same same error.
If I attempt suricata -vvv -c "path\to\suricata.yaml" -i ip.ip.ip.ip” I get the same same error.
If I attempt suricata -vvv -c suricata.yaml -i ip.ip.ip.ip ” I get the same same error.
If I attempt suricata -vvv -c suricata.yaml -i ip.ip.ip.ip -S "\path\to\rules\*.rules" I get the same same error.

There appears to be a bug; the Windows compiled suricata can't read the right extension.

Thank you for the feedback .
Couple of questions/comments

With respect to changing folder name s- it's actually just that - change (if needed) the folder names to wherever your rules files are located if not the regular default location. By default it should be the regular "Program Files" folder.

Question with regards to the "pcap_dump_hopen" err - did just moving just the "wpcap.dll" in the local run directory help fix the issue or it was the combination of wpcap.dll and msvcrt.dll ?

I would need to check out the "-s" issue you are experiencing and feedback.

Your feedback helps a lot to calibrate as it would be incorporated in the updated reworked Win docs - thanks for trying the the 5.0+ build, do you mind giving the latest git master a run ? (the only difference should be executing "./autogen.sh" before "./configure"). You mentioned you would like to develop on Suricata - so I would suggest the latest master.

Peter Manev wrote:

Thank you for the feedback .
Couple of questions/comments

With respect to changing folder name s- it's actually just that - change (if needed) the folder names to wherever your rules files are located if not the regular default location. By default it should be the regular "Program Files" folder.

I'm sorry but I do not know what issue of mine you are referring to here. I don't recall saying anything was wrong with my rules folder or regarding finding it.

I would need to check out the "-s" issue you are experiencing and feedback.

Basically the parser is not reading the last character. If my .yaml file looks like this:

rule-files:
     - my_custom_rules.rules

Suricata only reads this:

rule-files:
     - my_custom_rules.rule

And is missing the last s.

Unless I write it as this:
rule-files:
- my_custom_rules.ruless

Then it works.

Question with regards to the "pcap_dump_hopen" err - did just moving just the "wpcap.dll" in the local run directory help fix the issue or it was the combination of wpcap.dll and msvcrt.dll ?

Copying wpcap.dll appeared to fix the pcap_dump_hopen error; which was in system32.

I had asked about msvcrt.dll because it wasn't in the msys2 dll folder; so I searched and copied the first one I found from my Windows folder; I am not aware of any error regarding it.

Your feedback helps a lot to calibrate as it would be incorporated in the updated reworked Win docs - thanks for trying the the 5.0+ build, do you mind giving the latest git master a run ? (the only difference should be executing "./autogen.sh" before "./configure"). You mentioned you would like to develop on Suricata - so I would suggest the latest master.

Your feedback helps a lot to calibrate as it would be incorporated in the updated reworked Win docs - thanks for trying the the 5.0+ build, do you mind giving the latest git master a run ? (the only difference should be executing "./autogen.sh" before "./configure"). You mentioned you would like to develop on Suricata - so I would suggest the latest master.

Do you have any advice as to import Suricata into an IDE such as CLION or Eclipse? Either on Ubuntu or Windows? Or preferably windows? Is there anyone you can ask? I get the impression from the #suricata irc that the suricata team just uses emacs and make.

vim/gvim and others - there are plenty, whichever is preferred by the dev. I am not very familiar with Windows coding apps I must admit.

I would like to confirm where you copied the wpcap.dll to ? (the local folder where you started Suricata from?)

Also if I recall correctly the windows installation guide PDF file doesn't mention you also need to copy threshold.config file to the suricata folder; this was also something I needed to do last week.

Yes - some ppl take vim/gvim to more than just text editing though.

It seems form the screenshot you have it installed in "Program files 9x86)" ? Is it 32 or 64 bit exe you end up with ?

Peter Manev wrote:

Yes - some ppl take vim/gvim to more than just text editing though.

It seems form the screenshot you have it installed in "Program files 9x86)" ? Is it 32 or 64 bit exe you end up with ?

64 bit but I just happened to blindly put Suricata into the (x86) Program Files folder because that's what the PDF guide did; and then needed to edit the .yaml file to change "Program Files" to "Program Files (x86)" as a result.

If you try running it from the regular "Programs Folder" meant for 64bit installs - would it work as before/expected?

Which npcap version are you using by the way ?

Peter Manev wrote:

Which npcap version are you using by the way ?

Should be the one you linked. 0.992 in all likelyhood.

I can confirm that adding

#define _POSIX_C_SOURCE 200112L

https://github.com/OISF/suricata/pull/3961/commits/d8614a15c6b65c588eadddb5233dc9d0b304de04