Suricata…. for Windows
I spent a short while googling around to find a way to install Suricata on Windows and it would actually work. Turns out, it’s not that simple to install and there was no easy button. Eventually, I got something to work, albeit not pretty, but it is reproducible!
In my case, I am using Splunk Attack Range and the Server has the Splunk UF installed. If you are using Splunk, you will need the Suricata TA.
My simple little script will:
1. Download Suricata
2. Download NPcap
3. Prompt for clicking of NPcap
4. Restart Splunk UF
5. Download suricata.yaml (from GIST)
6. Start all the things
Two steps:
1.) Install the suricata TA to $splunkUF/etc/apps on a Windows System, not Linux box.
1.a) Modify the inputs to index=network (or any index of choice)
- b) Ensure the monitor path is windows specific to the eve.json file for Suricata (see below)
[monitor://C:\Program Files\Suricata\log\eve.json]
host = splunk-nat-sec
sourcetype = suricata
index = network2.)Copy the script to disk, or copy and paste into PowerShell/PowerShell_ISE. Read it. Modify the last line for Interface.
Run it.
2.a) The script will prompt you to double click the installation of npcap.exe in c:\temp.
Easy? let’s demo!
That was simple!
Note that, it will start it up at the end on a specific IP (related to Attack Range). You will need to modify that for your instance.
Post-install, just drop that Suricata TA in there and you are all set!
That is it! Hope you have found this helpful!
Script below and here.
