Before you start ================ An up to date version of this document can be found online: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Windows Alternatively, an installation document for using CYGWIN instead of MinGW can be found here: https://redmine.openinfosecfoundation.org/attachments/download/676/SurWinInstallGuide.pdf This file describes how to build and run Suricata on Windows. Currently Windows XP and above are supported. Preparing the build environment =============================== 1. Setup MinGW environment from http://mingw.org Do not use the automatic installer as it is deprecated. Manually unpack the following packages to c:\mingw (use newer versions if you like): * binutils o binutils-2.20–1-mingw32-bin.tar.gz * mingw-runtime (dev and dll): o mingwrt-3.17-mingw32-dll.tar.gz o mingwrt-3.17-mingw32-dev.tar.gz * w32api o w32api-3.14-mingw32-dev.tar.gz * required runtime libraries for GCC (gmp, libiconv, MPFR and pthreads): o gmp-4.2.4-mingw32-dll.tar.gz o libiconv-1.13.1–1-mingw32-dll-2.tar.lzma o mpfr-2.4.1-mingw32-dll.tar.gz o pthreads-w32–2.8.0-mingw32-dll.tar.gz * gcc-core (bin and dll): o gcc-core-4.4.0-mingw32-bin.tar.gz o gcc-core-4.4.0-mingw32-dll.tar.gz * make o make-3.81–20090914-mingw32-bin.tar.gz * zlib o libz-1.2.3-1-mingw32-dll-1.tar.gz o libz-1.2.3-1-mingw32-dev.tar.gz 2. Install MSYS http://sourceforge.net/projects/mingw/files/ MSYS-1.0.11.exe (MSYS Base System) msysDTK-1.0.1.exe (MSYS Suplementary Tools) autoconf-2.63–1-msys-1.0.11-bin.tar.lzma automake-1.11–1-msys-1.0.11-bin.tar.lzma libtool-2.2.7a-1-msys-1.0.11-bin.tar.lzma MSYS will ask questions during the installation: Accept Post Install: [y] MinGW Installed? : [y] path to MinGW: [c:/MinGW] 3. Install pkg-config taken from http://wiki.videolan.org/Win32CompileMSYSNew#PKG-CONFIG Download and extract the following into c:\Msys\1.0 http://ftp.gnome.org/pub/GNOME/binaries/win32/glib/2.18/glib_2.18.2-1_win32.zip ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config_0.23-3_win32.zip ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config-dev_0.23-3_win32.zip Set PKG_CONFIG_PATH=/win32/lib/pkgconfig (e.g. by adding the Windows enviroment variable PKG_CONFIG_PATH in "Control Panel"->"System"->"Advanced System Settings"->"Environment Variables" and setting the value to /win32/lib/pkgconfig) 4. Get git Download portable GIT from this URL: http://code.google.com/p/msysgit/ - unpack to /msys/1.0 - don't forget to edit your ~/.gitconfig to at least give youreself a name :-) 5. Get libpcre http://www.pcre.org/ ./configure --enable-utf8 --disable-cpp --prefix=/mingw make make install 6. Get libyaml http://pyyaml.org/wiki/LibYAML It does not support mingw compilation. However it works in static mode: ./configure --prefix=/mingw CFLAGS="-DYAML_DECLARE_STATIC" make make install 7. Get libpcap Guide can be found here: - Download Devlopers pack http://www.winpcap.org/devel.htm - Download and install a coresponding installer package http://www.winpcap.org/install/default.htm (to have the driver in the system) - Copy includes to c:/mingw/include and libs (.a) to c:/mingw/lib - Rename libwpcap to libpcap 8. Get and compile Suricata git clone git://phalanx.openinfosecfoundation.org/oisf.git cd oisf Because of some weird autools port bug we do the following: dos2unix.exe libhtp/configure.ac dos2unix.exe libhtp/htp.pc.in dos2unix.exe libhtp/Makefile.am ./autogen.sh ./configure CFLAGS="-DYAML_DECLARE_STATIC" # add --enable-nfqueue as parameter to configure to enable inline mode make If everything goes well, you'll end up with suricata.exe in src/.lib. To test it you will need libpcre-0.dll, libz-1.dll, and pthreadGC2.dll which you already have somewhere under c:/mingw or c:/msys. To prepare the runtime environment: - copy the executable and the DLLs to a dedicated directory - get there classification.config and suricata.yaml - edit suricata.yaml (at least set the directories correctly) PCAP Mode ========= Make sure you have winpcap runtime and driver installed and then: - determine your eth device UUID in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ - now cross your fingers and do: suricata.exe -c suricata.yaml -i \DEVICE\{your device uuid} Inline Mode =========== You need to downoad, compile and install netfilterforwin (the netfilter.sys driver and Windows port of the libnetfilter_queue library): 1. Download and install Windows Driver Kit from Microsoft http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff 2. Download netfilterforwin http://sourceforge.net/projects/netfilterforwin/ Unpack it so the netfilterforwin directory (omit the version from its name) is beside the oisf directory. 3. Compile the driver - Open the build environment from you Start menu: Start->All Programs->windows Driver Kits->WDK xxxx.yyyy.z->Build Environments ->Windows Server 2003->x86 Free Build Environment (or the one which is proper for your system) - cd to netfilterforwin/netfilter - enter command: nmake 4. Install the driver - copy inf/* files and the freshly built netfilter.sys to a separate directory - open network connecions - right-click an interface, select properties - click install... - select service - click add - click 'have disk...' - browse to the directory with the inf files and netfilter.sys, select netfilter.inf anc click ok - confirm everything You should have the driver installed now. 5. Run Suricata in inline mode: suricata.exe -c suricata.yaml -q 0