File: setting-up-ipsinline-for-windows.rst

package info (click to toggle)
suricata 1%3A8.0.1-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 240,704 kB
  • sloc: ansic: 357,736; python: 8,721; sh: 5,043; makefile: 2,411; perl: 570; php: 170
file content (69 lines) | stat: -rw-r--r-- 2,057 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Setting up IPS/inline for Windows
=================================

This guide explains how to work with Suricata in layer 4 inline mode using
WinDivert on Windows.

First start by compiling Suricata with WinDivert support. For instructions, see
`Windows Installation
<https://redmine.openinfosecfoundation.org/attachments/download/1175/SuricataWinInstallationGuide_v1.4.3.pdf>`_.
This documentation has not yet been updated with WinDivert information, so make
sure to add the following flags before configuring Suricata with ``configure``:

::
  
  --enable-windivert=yes --with-windivert-include=<include-dir> --with-windivert-libraries=<libraries-dir>

WinDivert.dll and WinDivert.sys must be in the same directory as the Suricata
executable. WinDivert automatically installs the driver when it is run. For more
information about WinDivert, see https://www.reqrypt.org/windivert-doc.html.

To check if you have WinDivert enabled in your Suricata, enter the following
command in an elevated command prompt or terminal:

::
  
  suricata -c suricata.yaml --windivert [filter string]

For information on the WinDivert filter language, see
https://www.reqrypt.org/windivert-doc.html#filter_language

If Suricata is running on a gateway and is meant to protect the network behind
that gateway, you need to run WinDivert at the `NETWORK_FORWARD` layer. This can
be achieved using the following command:

::

  suricata -c suricata.yaml --windivert-forward [filter string]

The filter is automatically stopped and normal traffic resumes when Suricata is
stopped.

A quick start is to examine all traffic, in which case you can use the following
command:

::
  
  suricata -c suricata.yaml --windivert[-forward] true

A few additional examples:

Only TCP traffic:

::

  suricata -c suricata.yaml --windivert tcp


Only TCP traffic on port 80:

::

  suricata -c suricata.yaml --windivert "tcp.DstPort == 80"


TCP and ICMP traffic:

::

  suricata -c suricata.yaml --windivert "tcp or icmp"