Windows Installation Guide for

Suricata IDS/IPS/NSM

This is a Suircata Windows Installation Guide –

Compilation from scratch.

Tested on Windows 7, Windows 8, Windows Server

2008R2, Server 2012 64 bit.

Date: 9 Feb 2016

Document Version: 1.4.3

Author: Peter Manev(pevma)

1 | Page
INSTALLATION............................................................................... 4

CYGWIN – OVERVIEW OF INSTALLATION..........................................4

CYGWIN – DOWNLOAD AND INSTALL...............................................6

INSTALL SURICATA SPECIFIC DEPENDENCIES.................................15

SYSTEM VARIABLES - ADD PATHS.................................................21

GET LIBPCAP – FOR WINDOWS.....................................................24

START CYGWIN............................................................................ 24

JSON log output – eve.json................................................................................25

COMPILE SURICATA.....................................................................26

Suricata from git – latest version......................................................................26

Suricata Stable, Beta or RC compilation............................................................29

SET UP SURICATA FOR WINDOWS.................................................31

Set up and copy needed config and dll files.......................................................32

Download rules................................................................................................ 33

Adjust suricata.yaml configuration....................................................................33

CHECK ENABLED FEATURES FOR SURICATA...................................35

RUN SURICATA............................................................................38

Run Suricata on an un-ip'd interfaces................................................................39

2 | Page
INFO AND DOCUMENTATION.........................................................40

3 | Page
This is a guide of how to compile and come up with your own executable/binary of
Suricata IDS/IPS on Windows. If you do not want to do that – there is a auto
installation (MSI) windows native package here:

http://suricata-ids.org/download/

just run it and it will install and set up Suricata for you on your Windows system.

Installation

Cygwin – overview of installation

NOTE: Download - setup-x86.exe (32-bit installation). A compilation under 64 bit

Cygwin installation will not work since WinPcap has only 32 bit downloads available
and the compilation will fail.

After the installation is done you would need to add the packages below to your
Cygwin installation - needed for Suricata to run:

libmpfr4, libmpfr-devel, mpfr, mingw-pthreads, gcc-core ,make, automake,

automake1.9, zlib, zlib-devel, zlib0, autoconf, autoconf2.5, libtool , libglib2.0-devel,
libglib2.0_0 ,pkg-config, libyaml-devel, libyaml0_2, libpcre1, libpcre-devel, file-
devel, gcc-g++, wget

Extra and useful libraries/packages for enabling extra features during compile/make
time or for compiling from git (latest devel version of Suricata):

luajit, luaji-devel, libGeoIP-devel, libGeoIP1, libnss-devel, libnss3, libnspr-

devel, libnspr4, git

4 | Page
The above packages will allow us to enable during compile and build time the
following extra features of Suricata –

➢ Lua (lua scripting)

➢ GeoIP

➢ MD5

➢ possibility to git clone the latest code if needed

5 | Page
Cygwin – download and install

The following installations instructions were executed on Windows Server 2012R2

64 bit.

About 500 -600MB of space needed in total with all the necessary prerequisites
installed.

Download http://cygwin.com/setup-x86.exe then double click the setup.exe to install

Go ahead and install it with the default options (basically just click next and ok)

6 | Page
7 | Page
8 | Page
9 | Page
Here , select any mirror you want:

10 | P a g e
Click next to continue:

11 | P a g e
Next again to proceed with installation of the base packages:

12 | P a g e
Then you are going to see a progress bar:

13 | P a g e
14 | P a g e
Install Suricata specific dependencies

After the installation is finished – we need to install the Suricata specific build
dependencies (as described just before this section)

Go back and double-click the very same setup-x86.exe – we will need to

install the extra packages necessary for Suricata to run.

Click next and ok until you are presented with the following screen:

15 | P a g e
Here is where we search select and queue for installation the additional packages
needed.

In the picture below , in the search box type in the name of the package- the search
will return automatically , results , select the necessary package. Erase the
contentment of the search box and type in the name of the next package, select …
and so on.

Do the same for all the needed packages, DO NOT hit next until you have selected
all the packages.

The necessary packages are:

16 | P a g e
libmpfr4, libmpfr-devel, mpfr, mingw-pthreads, gcc-core ,make, automake,
automake1.9, zlib, zlib-devel, zlib0, autoconf, autoconf2.5, libtool , libglib2.0-devel,
libglib2.0_0 ,pkg-config, libyaml-devel, libyaml0_2, libpcre1, libpcre-devel, file-
devel, gcc-g++, wget

And if you would like to enable extra functionality -

luajit, luaji-devel, libGeoIP-devel, libGeoIP1, libnss-devel, libnss3, libnspr-devel,

libnspr4, git

After you are done selecting the packages – make sure the “search” box is cleared,
click the “view” button until the text on the right of the button displays “pending”.

Check and make sure all the needed packages are selected! If something is missing,
go back and select it!

17 | P a g e
Click Next:

After that click next (make sure the option “select required packages
(RECOMMENDED)” is selected!) :

18 | P a g e
The extra packages that you have selected will start to download and install:

19 | P a g e
This could also take 5 min or so. Then click finish:

20 | P a g e
System variables - add paths
Add path to system variables (Win 7, Win 8, 2008, 2012 Server - Control
Panel\System and Security\System\Advanced system settings\Environment
Variables) :

C:\cygwin\bin;C:\cygwin\lib\pkgconfig;

Add the above to environment system variables in your windows system!! See the
picture below

21 | P a g e
Edit the system path variable:

22 | P a g e
Add “ C:\cygwin\bin;C:\cygwin\lib\pkgconfig; “ without the quotes to the end of the ”
Variable value path “ :

23 | P a g e
Get libpcap – for windows
Go to http://www.winpcap.org/install/default.htm and download the WinPcap
installer for windows (at the time of this writing the current version was 4.1.3 )

Install the WinPcap (double click, and just use the default options, basically click
next and ok until finished.)

This is IMPORTANT , this is the development pack, we need that for Suricata to be
able to run on Windows.

After that is done go to http://www.winpcap.org/devel.htm. Download the package

and unpack it anywhere you like.

Copy libraries (from the unpacked directory) like this:

 Copy ALL the content of WpdPack\Lib\ to cygwin\lib\

 Rename “libwpcap” to “libpcap” (in your cygwin\lib\ directory)
 Copy all headers (all the content)from WpdPack\Include\ to
C:\cygwin\usr\include\

Start Cygwin

Open CYGWIN. Double click your CYGWIN icon on your desktop. A Linux/bash like
command prompt will open:

24 | P a g e
JSON log output – eve.json

When compiling Suricata if - libjansson4/dev package is available on the system

Suricata will autodetect that and enable it giving JSON log output availability (one
can check with suricata.exe --build-info)

Since there is no libjansson4 and libjansson-dev package readily available for

Cygwin under Windows - it can be manually compiled form source like so:

wget http://www.digip.org/jansson/releases/jansson-2.7.tar.gz

tar xvf jansson-2.7.tar.gz && cd jansson-2.7

25 | P a g e
./configure --prefix=/usr && make clean && make && make install

That will enable JSON and eve.json availability for log output with Suricata on
Windows.

Compile Suricata
Suricata from git – latest version
(next section describes compilation for stable,beta,RC)

Get and compile Suricata.

As you are still in the CYGWIN environment -

Type in

git clone git://phalanx.openinfosecfoundation.org/oisf.git

Then after it is done

cd oisf

Then we need libhtp:

git clone git://github.com/ironbee/libhtp.git -b 0.5.x

26 | P a g e
Then we execute the following command(type and hit enter):

./autogen.sh && ./configure --enable-luajit --enable-pie --enable-geoip --disable-

gccmarch-native --with-libnss-libraries=/usr/lib --with-libnss-
includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-
includes=/usr/include/nspr && make clean && make

That will start configuration and compilation of Suricata.

The part -

-with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-

libnspr-libraries=/usr/lib –with-libnspr-includes=/usr/include/nspr

27 | P a g e
will enable DM5s functionality for Suricata.

Like so:

28 | P a g e
Let it run…..this could take a few minutes or so

After it is done your suricata.exe binary will be located under

src/.libs/suricata.exe:

Suricata Stable, Beta or RC compilation

As you are still in the CYGWIN environment -

29 | P a g e
This section uses Suricata 3.0RC3 as an example.

If you want to install Suricata stable you can find it here - http://suricata-
ids.org/download/

go to a tmp dir. Type in and hit enter to complete each step:

1) wget http://www.openinfosecfoundation.org/download/suricata-3.0RC3.tar.gz
2) tar –zxf suricata-3.0RC3.tar.gz
3) cd suricata-3.0RC3
4) libtoolize -c && autoreconf -fv --install && ./configure --enable-luajit --enable-
pie --enable-geoip --disable-gccmarch-native --with-libnss-libraries=/usr/lib
--with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-
libnspr-includes=/usr/include/nspr && make clean && make

The part -

-with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-

libnspr-libraries=/usr/lib –with-libnspr-includes=/usr/include/nspr

will enable DM5s functionality for Suricata.

NOTE: Please not the difference in the compilation line (4 above) for
stable/beta/RC and for git.

After done the suricata.exe binary will be located in the folder

/src/.libs/suricata.exe

30 | P a g e
Next steps.

For the instructions below if you want to use stable or RC3 (as opposed to latest git
Suricata) – just substitute the oisf directory with the appropriate name – suricata-
3.0RC3 for example.

Set up Suricata for Windows

31 | P a g e
Set up and copy needed config and dll files
Create the following directories:

➢ C:\Program Files (x86)\Suricata\log

➢ C:\Program Files (x86)\Suricata\log\files

➢ C:\Program Files (x86)\Suricata\log\certs

➢ C:\Program Files (x86)\Suricata\rules

Then copy the suricata.exe file from C:\cygwin\tmp\oisf\src\.libs to C:\Program Files

(x86)\Suricata

NOTE: It is not a must to place Suricata in C:\Program Files (x86)\Suricata you can
place it anywhere you would like.

Copy (from C:\cygwin\bin)

1. cyggcc_s-1.dll

2. cygGeoIP-1.dll

3. cygluajit-5.1-2.dll

4. cygmagic-1.dll

5. cygnspr4.dll

6. cygnss3.dll

7. cygnssutil3.dll

8. cygpcre-1.dll

9. cygplc4.dll

10.cygplds4.dll

11.cygwin1.dll

12.cygz.dll

32 | P a g e
to your C:\Program Files (x86)\Suricata directory

Also copy C:\cygwin\usr\share\misc\magic.mgc to your C:\Program Files

(x86)\Suricata directory

Download rules

Go to http://rules.emergingthreats.net/open/suricata/

Download a rule set.

http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

Unzip/untar the rule set in the C:\Suricata\rules directory.

Then go to C:\cygwin\tmp\oisf

Copy

classification.config , reference.config and suricata.yaml to

C:\Program Files (x86)\Suricata

Adjust suricata.yaml configuration

Open suricata.yaml with an editor – Notepad, Notepad++, whichever you like and
change the following lines:

33 | P a g e
# The default logging directory. Any log or output file will be

# placed here if its not specified with a full path name. This can be

# overridden with the -l command line parameter.

default-log-dir: C:\\Program Files (x86)\\Suricata\\log\\

….

….

# Magic file. The extension .mgc is added to the value here.

#magic-file: /usr/share/file/magic

magic-file: C:\Program Files (x86)\Suricata\magic.mgc

outputs:

- console:

enabled: yes

# type: json

- file:

enabled: yes

filename: C:\\Program Files (x86)\\Suricata\\log\\suricata.log

# type: json

# Set the default rule path here to search for the files.

# if not set, it will look at the current working dir

34 | P a g e
default-rule-path: C:\\Program Files (x86)\\Suricata\\rules\\

rule-files:

classification-file: C:\Program Files (x86)\Suricata\classification.config

reference-config-file: C:\Program Files (x86)\Suricata\reference.config

...

vars:

# Holds the address group vars that would be passed in a Signature.

# These would be retrieved during the Signature address parsing stage.

address-groups:

HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" (adjust network ranges here to

the ones that you want Suricata to inspect)

EXTERNAL_NET: "!$HOME_NET"

HTTP_SERVERS: "$HOME_NET"

SMTP_SERVERS: "$HOME_NET"

Check enabled features for Suricata

Open a cmd as ADMINISTRATOR!!!.

Got to C:\Program Files (x86)\Suricata and execute

35 | P a g e
suricata.exe –build-info

36 | P a g e
37 | P a g e
Run Suricata

Open a cmd as ADMINISTRATOR!!!.

Got to C:\Program Files (x86)\Suricata and execute

C:\Program Files (x86)\Suricata>suricata.exe -c suricata.yaml -i 10.0.2.15

-v

like shown on the picture below (in this case – 10.0.2.15 is the IP/interface I want
Suricata to listen to, i.e. the IP that my network card has been configured with):

And you have yourself Suricata running (the start time could depend the PC/Server
CPU/MEM availability and of course how many rules and what options you have
enabled in suricata.yaml ):

38 | P a g e
Run Suricata on an un-ip'd interfaces

39 | P a g e
If you need to run Suricata on an un-ip'd interfaces(thanks to Rich Rumble for
pointing that out):

You can get the NIC UUID in a variety of ways, the simplest is using a single
command for WMIC:(from cmd prompt paste in the following)

wmic nicconfig get ipaddress,SettingID

If you know your NIC's IP you can filter the results with findstr:

wmic nicconfig get ipaddress,SettingID | findstr 1.2.3.4

(replace 1.2.3.4 with your NIC's IP)

Then use that as your interface argument:

suricata.exe -c suricata.yaml –i \\DEVICE\\NPF_\{EE7B2A76-9343-449F-B3D8-

3CB0F37DCA49\}

Make sure the double slashes are used, and a backslash is placed before the curly
braces!

That’s it.

From here on it is up to you to configure Suricata the way it suits you best!

Thanks for trying Suricata!

Info and documentation

You can find much more info about setting up and tuning Suricata here:

40 | P a g e
https://redmine.openinfosecfoundation.org/projects/suricata/wiki

41 | P a g e