1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Windows
Windows
NOTE -
A new instruction set for Suricata installation (and/or compilation from
scratch) can be found here:
https://redmine.openinfosecfoundation.org/projects/suricata/files
also a windows binary - self extracting auto install package is available here:
http://www.openinfosecfoundation.org/index.php/download-suricata
Preparing the build environment
The instructions below should be followed in the order they appear. If your
configuration requires unique actions to compile the package and/or you
significantly modify the configure shell script, please e-mail the details of
your requirements and/or solution to bugreports@openinfosecfoundation.org.
Set up MinGW environment from http://mingw.org/
Do not use the automatic installer, as it is deprecated. Instead, manually
unpack the following packages to c:\mingw (you may use newer versions if you
prefer):
* binutils
o binutils-2.20-1-mingw32-bin.tar.gz
* mingw-runtime (dev and dll)
o mingwrt-3.17-mingw32-dll.tar.gz
o mingwrt-3.17-mingw32-dev.tar.gz
* w32api
o w32api-3.14-mingw32-dev.tar.gz
* Required runtime libraries for GCC (gmp, libiconv, MPFR and pthreads)
o gmp-4.2.4-mingw32-dll.tar.gz
o libiconv-1.13.1-1-mingw32-dll-2.tar.lzma
o mpfr-2.4.1-mingw32-dll.tar.gz
o pthreads-w32-2.8.0-mingw32-dll.tar.gz
* gcc-core (bin and dll)
o gcc-core-4.4.0-mingw32-bin.tar.gz
o gcc-core-4.4.0-mingw32-dll.tar.gz
* make
o make-3.81-20090914-mingw32-bin.tar.gz
* zlib
o libz-1.2.3-1-mingw32-dll-1.tar.gz
+ libz-1.2.3-1-mingw32-dev.tar.gz
Download MSYS
Get MSYS from http://sourceforge.net/projects/mingw/files/ and install
MSYS-1.0.11.exe (MSYS Base System)
msysDTK-1.0.1.exe (MSYS Suplementary Tools)
autoconf-2.63-1-msys-1.0.11-bin.tar.lzma
automake-1.11-1-msys-1.0.11-bin.tar.lzma
libtool-2.2.7a-1-msys-1.0.11-bin.tar.lzma
MSYS will ask the following questions during installation.
Accept Post Install: [y]
MinGW Installed? : [y]
path to MinGW: [c:/MinGW]
Download pkg-config
Install pkg-config taken from http://wiki.videolan.org/Win32CompileMSYSNew#PKG-
CONFIG
Download and extract the following into c:\Msys\1.0
http://ftp.gnome.org/pub/GNOME/binaries/win32/glib/2.18/glib_2.18.2-
1_win32.zip
ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config_0.23-
3_win32.zip
ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config-
dev_0.23-3_win32.zip
Set PKG_CONFIG_PATH=/win32/lib/pkgconfig
(e.g. by adding the Windows environment variable PKG_CONFIG_PATH in "Control
Panel"->"System"->"Advanced System Settings"->"Environment Variables" and
setting the value to /win32/lib/pkgconfig)
Download Git sources
Get Git sources from http://code.google.com/p/msysgit/
Unpack to /msys/1.0
Remember to edit ~/.gitconfig to set your username
Download libpcre
Get libpcre from http://www.pcre.org/
./configure --enable-utf8 --disable-cpp --prefix=/mingw
make
make install
Download libyaml
Download libyaml from http://pyyaml.org/wiki/LibYAML
Though libyaml does not support mingw compilation, it does work in static mode.
./configure --prefix=/mingw CFLAGS="-DYAML_DECLARE_STATIC"
make
make install
Download libpcap
Download the developer pack from http://www.winpcap.org/devel.htm
To have the driver in the system, download and install a corresponding
installer package from http://www.winpcap.org/install/default.htm
Copy includes to c:/mingw/include and libs (.a) to c:/mingw/lib
Rename libwpcap.a to libpcap.a
Get and compile Suricata
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
Because of an autotools port bug, you will need to do the following:
dos2unix.exe libhtp/configure.ac
dos2unix.exe libhtp/htp.pc.in
dos2unix.exe libhtp/Makefile.am
./autogen.sh
./configure CFLAGS="-DYAML_DECLARE_STATIC"
Add --enable-nfqueue as a configurable parameter to enable inline mode.
make
If the full installation is successful, suricata.exe will be located in
src/.lib. To test your build, you will need libpcre-0.dll, libz-1.dll, and
pthreadGC2.dll, all of which should already be installed under c:/mingw or c:/
msys.
preparing the runtime environment.
To prepare the runtime environment, you must copy the executable and DLLs to a
dedicated directory. Get the classification.config and suricata.yaml, and then
edit suricata.yaml to ensure the directories are correctly identified.
pcap mode
If you have not already done so, install winpcap runtime and its driver. Then,
determine your eth device UUID in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
suricata.exe -c suricata.yaml -i \device\
In the example above, device should be replaced with your device uuid.
Inline mode
To operate in inline mode, you must download, compile and install
netfilterforwin, which is the netfilter.sys driver and Windows port of the
libnetfilter_queue library.
Download and install the Windows Driver Kit from Microsoft
http://www.microsoft.com/downloads/
details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff
Download netfilterforwin from http://sourceforge.net/projects/netfilterforwin/
Unpack it so the netfilterforwin directory is beside the oisf directory. You
must omit the version from its name.
Compile the driver
Open the correct build environment from your Start menu
Start > All Programs > Windows Driver Kits > WDK xxxx.yyyy.z > Build
Environments > Windows Server 2003 > x86 Free Build Environment
At your command line prompt, enter the following:
cd netfilterforwin/netfilter
nmake
Install the driver
Copy inf/* files and the freshly built netfilter.sys to a separate directory,
and then open the network connections.
Right-click an interface, then select Properties
Click install...
Select Service
Click Add
Click Have disk...
Browse to the directory with the inf files and netfilter.sys, select
netfilter.inf, and then click Ok.
Confirm everything
The driver is now installed.
Run Suricata in inline mode
suricata.exe -c suricata.yaml -q 0
|