I spent a short while googling around to find a way to install Suricata on Windows and it would actually work. Turns out, it’s not that simple to install and there was no easy button. Eventually, I got something to work, albeit not pretty, but it is reproducible!
My simple little script will:
1. Download Suricata
2. Download NPcap
3. Prompt for clicking of NPcap
4. Restart Splunk UF
5. Download suricata.yaml (from GIST)
6. Start all the things
1.) Install the suricata TA to $splunkUF/etc/apps on a Windows System, not Linux box.
1.a) Modify the inputs to index=network (or any index of choice)
- b) Ensure the monitor path is windows specific to the eve.json file for Suricata (see below)
host = splunk-nat-sec
sourcetype = suricata
index = network
2.)Copy the script to disk, or copy and paste into PowerShell/PowerShell_ISE. Read it. Modify the last line for Interface.
2.a) The script will prompt you to double click the installation of npcap.exe in c:\temp.
Easy? let’s demo!
That was simple!
Note that, it will start it up at the end on a specific IP (related to Attack Range). You will need to modify that for your instance.
Post-install, just drop that Suricata TA in there and you are all set!
That is it! Hope you have found this helpful!
Script below and here.