Suricata…. for Windows


I spent a short while googling around to find a way to install Suricata on Windows and it would actually work. Turns out, it’s not that simple to install and there was no easy button. Eventually, I got something to work, albeit not pretty, but it is reproducible!

In my case, I am using Splunk Attack Range and the Server has the Splunk UF installed. If you are using Splunk, you will need the Suricata TA.

My simple little script will:
1. Download Suricata
2. Download NPcap
3. Prompt for clicking of NPcap
4. Restart Splunk UF
5. Download suricata.yaml (from GIST)
6. Start all the things

Two steps:

1.) Install the suricata TA to $splunkUF/etc/apps on a Windows System, not Linux box.

1.a) Modify the inputs to index=network (or any index of choice)

  1. b) Ensure the monitor path is windows specific to the eve.json file for Suricata (see below)
[monitor://C:\Program Files\Suricata\log\eve.json]
host = splunk-nat-sec
sourcetype = suricata
index = network

2.)Copy the script to disk, or copy and paste into PowerShell/PowerShell_ISE. Read it. Modify the last line for Interface.
Run it.

2.a) The script will prompt you to double click the installation of npcap.exe in c:\temp.

Easy? let’s demo!

That was simple!
Note that, it will start it up at the end on a specific IP (related to Attack Range). You will need to modify that for your instance.

Post-install, just drop that Suricata TA in there and you are all set!

That is it! Hope you have found this helpful!

Script below and here.

I write, sometimes, about InfoSec related topics and I love coffee.