Your Image Alt Text

Suricata

Suricata is an open-source Network IDS/IPS (Intrusion Detection and Prevention System) that can be used on Windows for inspecting and protecting network traffic. In this article, we’ll explore the basics of Suricata on a Windows environment, including installation and basic usage.

Installation

  1. Download the latest Suricata Windows installer from the official Suricata website: Suricata Downloads

Configuration

After installation, you may need to adjust the configuration settings. The configuration file for Suricata on Windows is typically located in the installation directory, e.g., C:\Program Files\Suricata\suricata.yaml. Open this file using a text editor.

Suricata uses the Yaml format for configuration. The Suricata.yaml file included in the source code, is the example configuration of Suricata. This document will explain each option.

# Example suricata.yaml configuration for Windows

vars:
  # more specific is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"
    #EXTERNAL_NET: "any"

When you set HOME_NET, for example, you are telling Suricata which IP addresses are considered internal to your network. Similarly, EXTERNAL_NET is the set of addresses outside your internal network. These definitions are typically used within the rules section of Suricata to specify which traffic to match or ignore.

 port-groups:
  HTTP_PORTS: "80"
  SHELLCODE_PORTS: "!80"
  ORACLE_PORTS: 1521
  SSH_PORTS: 22
  DNP3_PORTS: 20000
  MODBUS_PORTS: 502
  FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
  FTP_PORTS: 21
  GENEVE_PORTS: 6081
  VXLAN_PORTS: 4789
  TEREDO_PORTS: 3544

Port groups are used to organize and reference sets of ports.

default-rule-path: rules
rule-files:
  - suricata.rules

Inside the rules folder, create or place your custom rule file.

Run Suricata:

Open a command prompt with administrator privileges. Navigate to the Suricata installation directory. Run Suricata using the command:

suricata.exe -c suricata.yaml -i [your_network_interface]

Replace [your_network_interface] with the actual network interface you want Suricata to monitor.

Remember to refer to the Suricata documentation or any specific documentation provided with the Windows distribution for detailed instructions and troubleshooting tips.