How difficult is it to install SURICATA on Windows 10? HELP for a newbie 🙏

Hello, I know absolutely nothing about the program, I’m a total newbie, and I’ve been watching YouTube videos that aren’t very helpful and asking chat gpt but I’m really slowed down and I don’t know how to progress further.

I would really like to learn how to use this program but I can’t even get it to start without errors.

I am on Windows 10 and these are the steps I followed…

  1. :neutral_face: npcap last version

  2. :open_mouth: suricata last version

  3. :face_with_raised_eyebrow: C:\Program Files\Suricata - i open the file “suricata.yaml”

  4. :thinking: i go to the Step 1: Inform Suricata about your network
    HOME_NET: “[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]”

                 When i use ipconfig in cmd:
    

  • Unknown Adapter NordLynx: # this is my vpn (If I run from the terminal, which one should I use? the vpn or the ethernet? - the vpn or the wifi? or both?----and in the HOME_NET: What should I type?

Specific DNS Suffix for this connection. . :
Link-local IPv6 Address. . . . . . . . : fe80::723e:7ca:789d:a5aa%60 # this?
IPv4 Address. . . . . . . . . . . . . . : 10.5.0.2 # or this?
Subnet Mask. . . . . . . . . . . . . . : 255.255.0.0
Default Gateway. . . . . . . . . . . . : 0.0.0.0


  • Ethernet Adapter Ethernet:

Specific DNS Suffix for this connection. . :
IPv4 Address. . . . . . . . . . . . . . : 192.168.1.139 # or this?
Subnet Mask. . . . . . . . . . . . . . : 255.255.255.0
Default Gateway. . . . . . . . . . . . : 192.168.1.254


  • Wireless LAN Adapter Wi-Fi:

Specific DNS Suffix for this connection. . :
IPv4 Address. . . . . . . . . . . . . . : 192.168.1.70 # or this?
Subnet Mask. . . . . . . . . . . . . . : 255.255.255.0
Default Gateway. . . . . . . . . . . . : 192.168.1.254


  1. :roll_eyes: now in the suricata.yaml file I go to the part that says
    Configure Suricata to load Suricata-Update managed rules.

default-rule-path: C:\Program Files\Suricata\rules\
#(Now all these rules are not physically found in the rules folder, I don’t know why, How can I download them?).
rule-files:

  • botcc.rules
  • botcc.portgrouped.rules
  • ciarmy.rules
  • compromised.rules
  • drop.rules
  • dshield.rules
  • emerging-activex.rules
  • emerging-adware_pup.rules
  • emerging-attack_response.rules
  • emerging-chat.rules
  • emerging-coinminer.rules
  • emerging-current_events.rules
  • emerging-dns.rules
  • emerging-dos.rules
  • emerging-exploit.rules
  • emerging-ftp.rules
  • emerging-games.rules
  • emerging-icmp_info.rules
  • emerging-icmp.rules
  • emerging-imap.rules
  • emerging-inappropriate.rules
  • emerging-info.rules
  • emerging-ja3.rules
  • emerging-malware.rules
  • emerging-misc.rules
  1. :angry: I delete all this
  • emerging-mobile_malware.rules
  • emerging-netbios.rules
  • emerging-phishing.rules
  • emerging-p2p.rules
  • emerging-policy.rules
  • emerging-pop3.rules
  • emerging-rpc.rules
  • emerging-scada.rules
  • emerging-scan.rules
  • emerging-shellcode.rules
  • emerging-smtp.rules
  • emerging-snmp.rules
  • emerging-sql.rules
  • emerging-telnet.rules
  • emerging-tftp.rules
  • emerging-user_agents.rules
  • emerging-voip.rules
  • emerging-web_client.rules
  • emerging-web_server.rules
  • emerging-web_specific_apps.rules
  • emerging-worm.rules
  • tor.rules

#(Now all these rules are not physically found in the rules folder, I don’t know why, How can I download them?)


These others below are found in the folder but some have errors

  1. :grimacing: here I delete of all “#” (but I try one at a time because some give errors)

#decoder-events.rules #available in suricata sources under rules dir
#stream-events.rules #available in suricata sources under rules dir
#http-events.rules #available in suricata sources under rules dir
#http2-events.rules #available in suricata sources under rules dir
#smtp-events.rules #available in suricata sources under rules dir
#dns-events.rules #available in suricata sources under rules dir
#tls-events.rules #available in suricata sources under rules dir
#modbus-events.rules # ERROR I fixed it by enabling modbus in the suricata.yaml file
#mqtt-events.rules #available in suricata sources under rules dir
#app-layer-events.rules #available in suricata sources under rules dir
#dnp3-events.rules # ERROR I fixed it by enabling dnp3 in the suricata.yaml file
#ntp-events.rules #available in suricata sources under rules dir
#ipsec-events.rules #available in suricata sources under rules dir
#kerberos-events.rules #available in suricata sources under rules dir
#smb-events.rules #available in suricata sources under rules dir
#nfs-events.rules #available in suricata sources under rules dir
#dhcp-events.rules #available in suricata sources under rules dir
#ssh-events.rules #available in suricata sources under rules dir
#rfb-events.rules #available in suricata sources under rules dir
#ftp-events.rules #available in suricata sources under rules dir
#files.rules #available in suricata sources under rules dir
#quick-events.rules # ERROR THE LETTER “K” IS MISSING IN THE WORD QUICK

  1. :face_with_monocle: now I go to the cmd console and type:
    cd…
    cd…
    dir
    cd program files
    dir
    cd suricata

(fast way - cd C:\Program Files\Suricata)

  1. :nerd_face: now I simply type:
    suricata
    -now suricata says:
    To run the engine with default configuration on interface eth0 with signature file “signatures.rules”, run the command as:
    suricata -c suricata.yaml -s signatures.rules -i eth0
    so i do that

and when I do that the first error occurs:
Warning: debug: error opening file C:\Program Files\Suricata\log/suricata.log: Permission denied

  1. :angry: Now I solve this in the following way…
    I type this in the cmd
    suricata -c suricata.yaml -i 10.5.0.2
    #(10.5.0.2 my ipv4 of my vpn)
    this so that suricata runs without stopping and so we can observe the service in the task manager
    In the task manager I went to the details tab
    i found suricata service
    I right clicked - properties - security tab - in the middle tab I clicked edit and accepted all permissions

  2. :face_holding_back_tears: Now I repeat step number 9 again.
    and it no longer gives any errors and some new files were created in the log folder

  3. :neutral_face: Now I think this previous command only serves to create the folders because when it is executed it does not stay executed.
    Now I try to run this other command with my IPv4 to run the program:
    I try with:
    suricata.exe -c suricata.yaml -i 10.5.0.2
    and I get this error:
    W: threshold-config: Error opening file: “C:\Program Files\Suricata\\threshold.config”: No such file or directory

  4. :yawning_face: so i created the missing file in blank on the desktop and then pasted it into the suricata folder

  5. :face_exhaling: Now I go back to step 12 and run the command again
    now it doesn’t show any error

  6. :dizzy_face: I’m trying to create some simple rule that allows me to see if it’s really running.
    (I don’t know what other simple rule I could use to check that this is working.)
    I try it with this rule that I saw in a YouTube video:
    drop tcp any any → any any (msg: “block word”; content: “facebook”; sid:1000002; rev:1;)
    -I added the rule to the suricata.yaml file
    -I added the rule to the rules folder
    -I started the program with my ipv4 from my vpn with this command:
    suricata.exe -c suricata.yaml -i 10.5.0.2
    and it starts without showing any problems but the rules do not seem to work

  7. :rage: As you saw, I have 3 IPv4s… the only one that starts without errors is the VPN one… But it doesn’t seem to work.
    I tried with the ethernet one and the wifi one and both give the same error:
    W: win32-syscall: Failure when trying to get feature via syscall for ‘\Device\NPF_{991CDD93-B45E-4F62-BC46-00B5F02FCCF4}’: Error genÚrico (0x80041001)


C:\Program Files\Suricata>suricata -c suricata.yaml -i 192.168.1.139
Info: win32-service: Running as service: no
Info: suricata: translated 192.168.1.139 to pcap device \Device\NPF_{991CDD93-B45E-4F62-BC46-00B5F02FCCF4}
i: suricata: This is Suricata version 7.0.5 RELEASE running in SYSTEM mode
i: runmodes: thread stack size of 0 to too small: setting to 512k
W: win32-syscall: Failure when trying to get feature via syscall for ‘\Device\NPF_{991CDD93-B45E-4F62-BC46-00B5F02FCCF4}’: Error genÚrico (0x80041001)
W: suricata: setrlimit unavailable.
i: threads: Threads created → RX: 1 W: 8 FM: 1 FR: 1 Engine started.
i: suricata: Signal Received. Stopping engine.
i: device: \Device\NPF_{991CDD93-B45E-4F62-BC46-00B5F02FCCF4}: packets: 5865, drops: 0 (0.00%), invalid chksum: 0


  1. :face_with_symbols_over_mouth: I tried disabling my firewall completely,
    I tried disabling my vpn,
    I tried disabling all my vpn protections,
    I tried creating the service in services.msc for suricata,
    I tried disabling wifi and vpn and only having the ethernet as well as only having wifi,
    I tried filling the empty file that I created “threshold. config” but I don’t know what to put in it exactly, - I asked chat gpt and they gave me suggestions but they only give me more errors. Nothing works, I ask the gpt chat AI but it doesn’t know the answer it just repeats the same things.

  2. :sweat: I am totally new using this program. I think it is very good and that everyone should have it on their computers, not just the experts. It is a shame that it is so complicated to just install it correctly. I have already spent several days trying to understand it a little and I haven’t been able to get it to work. It is an old program, I don’t know why it doesn’t come with a more detailed and complete guide. and if you search on YouTube there are no good enough guides and everyone uses it on Linux…

Thank you for reading :metal:

Suricata (Stable) version 6.0.19

Windows 10

                --== Initialization Complete ==--

I found the solution:
I installed the software from the competition.
It was much simpler, without so much error
  , ,_
o"     )~
   ’ ’ ’ ’