ProIntegritate · October 20, 2021 20:03
diff --git a/gistfile1.txt b/gistfile1.txt
 **** Firing up Suricata on your Windows 10 box: ****

 This is a very quick and dirty way to get it up and running so you can experiment on it.
 There are lots of settings and things that i jump over, you should dig into the settings on your own.


 1. Start by getting the 64 bit MSI with Suricata. https://suricata.io/download/

 Install to default location: "C:\Program files\Suricata\"
 ____________________________________________________________________________________________________

 2. Suricata requires NPCAP.

 If you got wireshark installed, you got this already, current version (2021-Sep-24) of NPCAP is 1.31 
 If you don't use wireshark (which you should), you can find it here: https://nmap.org/npcap/

 Due to a path bug in Suricata, you need to copy the following files to "C:\Program files\Suricata\" as it can't find them:

  C:\Windows\System32\Npcap\Packet.dll
  C:\Windows\System32\Npcap\wpcap.dll
 ____________________________________________________________________________________________________

 3. Configure Suricata: there is a configuration file: "suricata.yaml" in the root folder that needs to be configured:

 3.1 The variable "HOME_NET:" needs to be set. Set it to your endpoint/networks CIDR, i.e. 1.2.3.4/32 or 1.2.3.4/24
 3.2 Set the "*_SERVERS:" variables if you got any.
 3.3 Set the "default-log-dir:" variable, default = "C:\\Program Files\\Suricata\\log"

 3.4 (optional) Configure some of the other outputs if required (I suggest TLS and DNS).
 3.5 (optional) If you are deploying more than one sensor, you may want to set the "sensor-name:" variable on each.
 3.6 (optional) There are some values for memory usage, some of them are rather low and can be increased.
 ____________________________________________________________________________________________________

 4. Get the Emerging threats Snort ruleset here, put them in the rules folder with the other rules.

 curl -L -o %date%_Suricata_emerging.rules.tar.gz https://rules.emergingthreats.net/open/suricata-6.0/emerging.rules.tar.gz

 It's in tar+Gzip format, which can be unpacked by 7Zip, PeaZip or whatevs.
 Unpack to "default-rule-path:" which is "C:\\Program Files\\Suricata\\rules\\"

 You can enable/disable whatever rules that apply to your system.
 Example: If you're not running any Databases or SMTP servers, turn those rules off.
 ____________________________________________________________________________________________________

 5. As you start, you need to tell Suricata what interface/IP to listen to, this is done with the -i switch,
 if you give it an IP instead, it will automagically find the interface from that:

  Example:
  C:\Program Files\Suricata\suricata.exe -c suricata.yaml -i 1.2.3.4
 ____________________________________________________________________________________________________

 6. Exhale and get a sandwich, you earned it.
	** Firing up Suricata on your Windows 10 box: **

	This is a very quick and dirty way to get it up and running so you can experiment on it.
	There are lots of settings and things that i jump over, you should dig into the settings on your own.


	1. Start by getting the 64 bit MSI with Suricata. https://suricata.io/download/

	Install to default location: "C:\Program files\Suricata\"
	____________________________________________________________________________________________________

	2. Suricata requires NPCAP.

	If you got wireshark installed, you got this already, current version (2021-Sep-24) of NPCAP is 1.31
	If you don't use wireshark (which you should), you can find it here: https://nmap.org/npcap/

	Due to a path bug in Suricata, you need to copy the following files to "C:\Program files\Suricata\" as it can't find them:

	C:\Windows\System32\Npcap\Packet.dll
	C:\Windows\System32\Npcap\wpcap.dll
	____________________________________________________________________________________________________

	3. Configure Suricata: there is a configuration file: "suricata.yaml" in the root folder that needs to be configured:

	3.1 The variable "HOME_NET:" needs to be set. Set it to your endpoint/networks CIDR, i.e. 1.2.3.4/32 or 1.2.3.4/24
	3.2 Set the "*_SERVERS:" variables if you got any.
	3.3 Set the "default-log-dir:" variable, default = "C:\\Program Files\\Suricata\\log"

	3.4 (optional) Configure some of the other outputs if required (I suggest TLS and DNS).
	3.5 (optional) If you are deploying more than one sensor, you may want to set the "sensor-name:" variable on each.
	3.6 (optional) There are some values for memory usage, some of them are rather low and can be increased.
	____________________________________________________________________________________________________

	4. Get the Emerging threats Snort ruleset here, put them in the rules folder with the other rules.

	curl -L -o %date%_Suricata_emerging.rules.tar.gz https://rules.emergingthreats.net/open/suricata-6.0/emerging.rules.tar.gz

	It's in tar+Gzip format, which can be unpacked by 7Zip, PeaZip or whatevs.
	Unpack to "default-rule-path:" which is "C:\\Program Files\\Suricata\\rules\\"

	You can enable/disable whatever rules that apply to your system.
	Example: If you're not running any Databases or SMTP servers, turn those rules off.
	____________________________________________________________________________________________________

	5. As you start, you need to tell Suricata what interface/IP to listen to, this is done with the -i switch,
	if you give it an IP instead, it will automagically find the interface from that:

	Example:
	C:\Program Files\Suricata\suricata.exe -c suricata.yaml -i 1.2.3.4
	____________________________________________________________________________________________________

	6. Exhale and get a sandwich, you earned it.