Project

General

Profile

Suricata » Suricata Installation »

Windows

NOTE -

2020-04-29 edit
----
Before installing Suricata on windows, install this prerequisite. Newer npcap versions may not work.
https://nmap.org/npcap/dist/npcap-0.992.exe
----

Suricata installation (and/or compilation from scratch) can be found here:
https://redmine.openinfosecfoundation.org/projects/suricata/files

also a windows binary - self extracting auto install package is available here:
http://www.openinfosecfoundation.org/index.php/download-suricata

2020-04-29 edit
----
Note In order to avoid errors like this: "The logging directory C:\\Program Files\\Suricata/log supplied by suricata.yaml doesn't exist. (note this orphan "/") Consider installing into this directory C:\Suricata and not into C:\Program Files\Suricata.
----

Preparing the build environment

The instructions below should be followed in the order they appear. If your configuration requires unique actions to compile the package and/or you significantly modify the configure shell script, please e-mail the details of your requirements and/or solution to .

Set up MinGW environment from http://mingw.org/

Do not use the automatic installer, as it is deprecated. Instead, manually unpack the following packages to c:\mingw (you may use newer versions if you prefer):


* binutils
    o binutils-2.20-1-mingw32-bin.tar.gz
* mingw-runtime (dev and dll)
    o mingwrt-3.17-mingw32-dll.tar.gz
    o mingwrt-3.17-mingw32-dev.tar.gz
* w32api
    o w32api-3.14-mingw32-dev.tar.gz
* Required runtime libraries for GCC (gmp, libiconv, MPFR and pthreads)
    o gmp-4.2.4-mingw32-dll.tar.gz
    o libiconv-1.13.1-1-mingw32-dll-2.tar.lzma
    o mpfr-2.4.1-mingw32-dll.tar.gz
    o pthreads-w32-2.8.0-mingw32-dll.tar.gz
* gcc-core (bin and dll)
    o gcc-core-4.4.0-mingw32-bin.tar.gz
    o gcc-core-4.4.0-mingw32-dll.tar.gz
* make
    o make-3.81-20090914-mingw32-bin.tar.gz
* zlib
    o libz-1.2.3-1-mingw32-dll-1.tar.gz
    + libz-1.2.3-1-mingw32-dev.tar.gz

Download MSYS

Get MSYS from http://sourceforge.net/projects/mingw/files/ and install

MSYS-1.0.11.exe (MSYS Base System)
msysDTK-1.0.1.exe (MSYS Suplementary Tools)
autoconf-2.63-1-msys-1.0.11-bin.tar.lzma
automake-1.11-1-msys-1.0.11-bin.tar.lzma
libtool-2.2.7a-1-msys-1.0.11-bin.tar.lzma

MSYS will ask the following questions during installation.

Accept Post Install: [y]
MinGW Installed? : [y]
path to MinGW: [c:/MinGW]

Download pkg-config

Install pkg-config taken from http://wiki.videolan.org/Win32CompileMSYSNew#PKG-CONFIG
Download and extract the following into c:\Msys\1.0

   http://ftp.gnome.org/pub/GNOME/binaries/win32/glib/2.18/glib_2.18.2-1_win32.zip
   ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config_0.23-3_win32.zip
   ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config-dev_0.23-3_win32.zip


Set PKG_CONFIG_PATH=/win32/lib/pkgconfig

(e.g. by adding the Windows environment variable PKG_CONFIG_PATH in "Control Panel"->"System"->"Advanced System Settings"->"Environment Variables" and setting the value to /win32/lib/pkgconfig)

Download Git sources

Get Git sources from http://code.google.com/p/msysgit/

Unpack to /msys/1.0
Remember to edit ~/.gitconfig to set your username

Download libpcre

Get libpcre from http://www.pcre.org/

./configure --enable-utf8 --disable-cpp --prefix=/mingw
make
make install

Download libyaml

Download libyaml from http://pyyaml.org/wiki/LibYAML

Though libyaml does not support mingw compilation, it does work in static mode.

./configure --prefix=/mingw CFLAGS="-DYAML_DECLARE_STATIC" 
make
make install

Download libpcap

Download the developer pack from http://www.winpcap.org/devel.htm
To have the driver in the system, download and install a corresponding installer package from http://www.winpcap.org/install/default.htm
Copy includes to c:/mingw/include and libs (.a) to c:/mingw/lib
Rename libwpcap.a to libpcap.a

Get and compile Suricata

git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf

Because of an autotools port bug, you will need to do the following:

dos2unix.exe libhtp/configure.ac
dos2unix.exe libhtp/htp.pc.in
dos2unix.exe libhtp/Makefile.am

./autogen.sh
./configure CFLAGS="-DYAML_DECLARE_STATIC"

Add --enable-nfqueue as a configurable parameter to enable inline mode.

make

If the full installation is successful, suricata.exe will be located in src/.lib. To test your build, you will need libpcre-0.dll, libz-1.dll, and pthreadGC2.dll, all of which should already be installed under c:/mingw or c:/msys.
preparing the runtime environment.

To prepare the runtime environment, you must copy the executable and DLLs to a dedicated directory. Get the classification.config and suricata.yaml, and then edit suricata.yaml to ensure the directories are correctly identified.

pcap mode

If you have not already done so, install winpcap runtime and its driver. Then, determine your eth device UUID in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
suricata.exe -c suricata.yaml -i \device\

In the example above, device should be replaced with your device uuid.

Inline mode

To operate in inline mode, you must download, compile and install netfilterforwin, which is the netfilter.sys driver and Windows port of the libnetfilter_queue library.

Download and install the Windows Driver Kit from Microsoft
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff

Download netfilterforwin from http://sourceforge.net/projects/netfilterforwin/
Unpack it so the netfilterforwin directory is beside the oisf directory. You must omit the version from its name.

Compile the driver
Open the correct build environment from your Start menu

Start > All Programs > Windows Driver Kits > WDK xxxx.yyyy.z > Build Environments > Windows Server 2003 > x86 Free Build Environment

At your command line prompt, enter the following:

cd netfilterforwin/netfilter
nmake

Install the driver
Copy inf/* files and the freshly built netfilter.sys to a separate directory, and then open the network connections.
Right-click an interface, then select Properties
Click install...
Select Service
Click Add
Click Have disk...
Browse to the directory with the inf files and netfilter.sys, select netfilter.inf, and then click Ok.
Confirm everything

The driver is now installed.

Run Suricata in inline mode

      suricata.exe -c suricata.yaml -q 0