Suricata IDS/IPS

Help and Quick Start Guide

Instructions for Windows
tested on Windows 10, Windows Server 2012R2/2016 64 bit.

Date: 27 August 2018

Author: Peter Manev (pevma)

Before you start Suricata IDS/IPS

You MUST have npcap(npcap win installer) installed in order to run Suricata IDS/IPS !

Rules

You will need rules, because Suricata inspects traffic based on rules. The rules usually
reside in the “INSTALLDIR\rules” directory. There are non-installed by default. You can
install them in any directory you wish, just make sure you change the path in the
suricata.yaml configuration file.

You can get them from:

• ProofPoint(Emerging Threads - ETPro ruleset) – the rules there are specially

tailored for Suricata, in order to use its advanced and specific features to the
maximum. You can also use the free ET Open ruleset.

• Write them yourself – if you have previous experience or you would like just a
specific traffic to be inspected, you can write the necessary rules by yourself. You
can find some more info on rule writing here:

• Suricata Rule Writing Manual

After you have the rules – specify which rules would you like to activate or deactivate.
For example, if you would like to deactivate a rule put a “#” at the beginning of the line:
The ones in green above are deactivated.

Configuration

It is important that you configure Suricata properly.

Suricata’s configuration file is called “suricata.yaml” and holds special syntaxes and all
your configurational variables – i.e. networks, interfaces, log files locations/rules
directories and many more.

Suricata.yaml already has default values and config options, here we will go over some
of them very briefly, so that you can get acquainted better.

For example , if you are not happy with the default options you can change them –
”default-log-dir: C:\Suricata\log

………

- file:

enabled: yes

filename: C:\\Suricata\\suricata.log

……….

default-rule-path: C:\\Suricata\\rules\\

classification-file: C:\\Suricata\\classification.config

…….

HOME_NET: "[192.168.0.0/16]" - (here actually you put any network you want Suricata to
inspect)

similar to the pic below:

NOTE: Please make sure that the directories are created or exist if you change from the default ones

Running Suricata

Open a cmd and go to your Suricata Directory OR just double click the icon on your
desktop and execute:

suricata.exe -c suricata.yaml -i 10.0.2.15

like shown on the picture below (in this case – 10.0.2.15 is the IP/interface I want
Suricata to listen to, i.e. the IP that my network card has been configured with):

And you have yourself Suricata running:

NOTE:

If you need to run Suricata on a un-ip'd interfaces (thanks to Rich Rumble for pointing
that out):

You can get the NIC UUID in a variety of ways, the simplest is using a single command
for WMIC:(from cmd prompt paste in the following)

wmic nicconfig get ipaddress,SettingID

If you know your NIC's IP you can filter the results with findstr:

wmic nicconfig get ipaddress,SettingID | findstr 1.2.3.4

(replace 1.2.3.4 with your NIC's IP)

Then use that as your interface argument example:

C:\Program Files\Suricata>suricata.exe -i \\DEVICE\\NPF_\{D53813F6-9382-4292-

93A0-DA131DA66D9F\}

Make sure the double slashes are used, and a backslash is placed before the curly
braces!

More Info and Documentation

You can find much more info about setting up and tuning Suricata here:

https://suricata.readthedocs.io/en/latest/what-is-suricata.html