How difficult is it to install SURICATA on Windows 10? HELP for a newbie 🙏

Hello, I know absolutely nothing about the program, I’m a total newbie, and I’ve been watching YouTube videos that aren’t very helpful and asking chat gpt but I’m really slowed down and I don’t know how to progress further.

I would really like to learn how to use this program but I can’t even get it to start without errors.

I am on Windows 10 and these are the steps I followed…

1. npcap last version

2. suricata last version

3. C:\Program Files\Suricata - i open the file “suricata.yaml”

4. i go to the Step 1: Inform Suricata about your network
   HOME_NET: “[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]”

                When i use ipconfig in cmd:
   

• Unknown Adapter NordLynx: # this is my vpn (If I run from the terminal, which one should I use? the vpn or the ethernet? - the vpn or the wifi? or both?----and in the HOME_NET: What should I type?

Specific DNS Suffix for this connection. . :
Link-local IPv6 Address. . . . . . . . : fe80::723e:7ca:789d:a5aa%60 # this?
IPv4 Address. . . . . . . . . . . . . . : 10.5.0.2 # or this?
Subnet Mask. . . . . . . . . . . . . . : 255.255.0.0
Default Gateway. . . . . . . . . . . . : 0.0.0.0

• Ethernet Adapter Ethernet:

Specific DNS Suffix for this connection. . :
IPv4 Address. . . . . . . . . . . . . . : 192.168.1.139 # or this?
Subnet Mask. . . . . . . . . . . . . . : 255.255.255.0
Default Gateway. . . . . . . . . . . . : 192.168.1.254

• Wireless LAN Adapter Wi-Fi:

Specific DNS Suffix for this connection. . :
IPv4 Address. . . . . . . . . . . . . . : 192.168.1.70 # or this?
Subnet Mask. . . . . . . . . . . . . . : 255.255.255.0
Default Gateway. . . . . . . . . . . . : 192.168.1.254

5. now in the suricata.yaml file I go to the part that says
   Configure Suricata to load Suricata-Update managed rules.

default-rule-path: C:\Program Files\Suricata\rules\
#(Now all these rules are not physically found in the rules folder, I don’t know why, How can I download them?).
rule-files:

• botcc.rules
• botcc.portgrouped.rules
• ciarmy.rules
• compromised.rules
• drop.rules
• dshield.rules
• emerging-activex.rules
• emerging-adware_pup.rules
• emerging-attack_response.rules
• emerging-chat.rules
• emerging-coinminer.rules
• emerging-current_events.rules
• emerging-dns.rules
• emerging-dos.rules
• emerging-exploit.rules
• emerging-ftp.rules
• emerging-games.rules
• emerging-icmp_info.rules
• emerging-icmp.rules
• emerging-imap.rules
• emerging-inappropriate.rules
• emerging-info.rules
• emerging-ja3.rules
• emerging-malware.rules
• emerging-misc.rules

6. I delete all this

• emerging-mobile_malware.rules
• emerging-netbios.rules
• emerging-phishing.rules
• emerging-p2p.rules
• emerging-policy.rules
• emerging-pop3.rules
• emerging-rpc.rules
• emerging-scada.rules
• emerging-scan.rules
• emerging-shellcode.rules
• emerging-smtp.rules
• emerging-snmp.rules
• emerging-sql.rules
• emerging-telnet.rules
• emerging-tftp.rules
• emerging-user_agents.rules
• emerging-voip.rules
• emerging-web_client.rules
• emerging-web_server.rules
• emerging-web_specific_apps.rules
• emerging-worm.rules
• tor.rules

#(Now all these rules are not physically found in the rules folder, I don’t know why, How can I download them?)

These others below are found in the folder but some have errors

7. here I delete of all “#” (but I try one at a time because some give errors)

#decoder-events.rules #available in suricata sources under rules dir
#stream-events.rules #available in suricata sources under rules dir
#http-events.rules #available in suricata sources under rules dir
#http2-events.rules #available in suricata sources under rules dir
#smtp-events.rules #available in suricata sources under rules dir
#dns-events.rules #available in suricata sources under rules dir
#tls-events.rules #available in suricata sources under rules dir
#modbus-events.rules # ERROR I fixed it by enabling modbus in the suricata.yaml file
#mqtt-events.rules #available in suricata sources under rules dir
#app-layer-events.rules #available in suricata sources under rules dir
#dnp3-events.rules # ERROR I fixed it by enabling dnp3 in the suricata.yaml file
#ntp-events.rules #available in suricata sources under rules dir
#ipsec-events.rules #available in suricata sources under rules dir
#kerberos-events.rules #available in suricata sources under rules dir
#smb-events.rules #available in suricata sources under rules dir
#nfs-events.rules #available in suricata sources under rules dir
#dhcp-events.rules #available in suricata sources under rules dir
#ssh-events.rules #available in suricata sources under rules dir
#rfb-events.rules #available in suricata sources under rules dir
#ftp-events.rules #available in suricata sources under rules dir
#files.rules #available in suricata sources under rules dir
#quick-events.rules # ERROR THE LETTER “K” IS MISSING IN THE WORD QUICK

8. now I go to the cmd console and type:
   cd…
   cd…
   dir
   cd program files
   dir
   cd suricata

(fast way - cd C:\Program Files\Suricata)

9. now I simply type:
   suricata
   -now suricata says:
   To run the engine with default configuration on interface eth0 with signature file “signatures.rules”, run the command as:
   suricata -c suricata.yaml -s signatures.rules -i eth0
   so i do that

and when I do that the first error occurs:
Warning: debug: error opening file C:\Program Files\Suricata\log/suricata.log: Permission denied

10. Now I solve this in the following way…
    I type this in the cmd
    suricata -c suricata.yaml -i 10.5.0.2
    #(10.5.0.2 my ipv4 of my vpn)
    this so that suricata runs without stopping and so we can observe the service in the task manager
    In the task manager I went to the details tab
    i found suricata service
    I right clicked - properties - security tab - in the middle tab I clicked edit and accepted all permissions

11. Now I repeat step number 9 again.
    and it no longer gives any errors and some new files were created in the log folder

12. Now I think this previous command only serves to create the folders because when it is executed it does not stay executed.
    Now I try to run this other command with my IPv4 to run the program:
    I try with:
    suricata.exe -c suricata.yaml -i 10.5.0.2
    and I get this error:
    W: threshold-config: Error opening file: “C:\Program Files\Suricata\\threshold.config”: No such file or directory

13. so i created the missing file in blank on the desktop and then pasted it into the suricata folder

14. Now I go back to step 12 and run the command again
    now it doesn’t show any error

15. I’m trying to create some simple rule that allows me to see if it’s really running.
    (I don’t know what other simple rule I could use to check that this is working.)
    I try it with this rule that I saw in a YouTube video:
    drop tcp any any → any any (msg: “block word”; content: “facebook”; sid:1000002; rev:1;)
    -I added the rule to the suricata.yaml file
    -I added the rule to the rules folder
    -I started the program with my ipv4 from my vpn with this command:
    suricata.exe -c suricata.yaml -i 10.5.0.2
    and it starts without showing any problems but the rules do not seem to work

16. As you saw, I have 3 IPv4s… the only one that starts without errors is the VPN one… But it doesn’t seem to work.
    I tried with the ethernet one and the wifi one and both give the same error:
    W: win32-syscall: Failure when trying to get feature via syscall for ‘\Device\NPF_{991CDD93-B45E-4F62-BC46-00B5F02FCCF4}’: Error genÚrico (0x80041001)

C:\Program Files\Suricata>suricata -c suricata.yaml -i 192.168.1.139
Info: win32-service: Running as service: no
Info: suricata: translated 192.168.1.139 to pcap device \Device\NPF_{991CDD93-B45E-4F62-BC46-00B5F02FCCF4}
i: suricata: This is Suricata version 7.0.5 RELEASE running in SYSTEM mode
i: runmodes: thread stack size of 0 to too small: setting to 512k
W: win32-syscall: Failure when trying to get feature via syscall for ‘\Device\NPF_{991CDD93-B45E-4F62-BC46-00B5F02FCCF4}’: Error genÚrico (0x80041001)
W: suricata: setrlimit unavailable.
i: threads: Threads created → RX: 1 W: 8 FM: 1 FR: 1 Engine started.
i: suricata: Signal Received. Stopping engine.
i: device: \Device\NPF_{991CDD93-B45E-4F62-BC46-00B5F02FCCF4}: packets: 5865, drops: 0 (0.00%), invalid chksum: 0

17. I tried disabling my firewall completely,
    I tried disabling my vpn,
    I tried disabling all my vpn protections,
    I tried creating the service in services.msc for suricata,
    I tried disabling wifi and vpn and only having the ethernet as well as only having wifi,
    I tried filling the empty file that I created “threshold. config” but I don’t know what to put in it exactly, - I asked chat gpt and they gave me suggestions but they only give me more errors. Nothing works, I ask the gpt chat AI but it doesn’t know the answer it just repeats the same things.

18. I am totally new using this program. I think it is very good and that everyone should have it on their computers, not just the experts. It is a shame that it is so complicated to just install it correctly. I have already spent several days trying to understand it a little and I haven’t been able to get it to work. It is an old program, I don’t know why it doesn’t come with a more detailed and complete guide. and if you search on YouTube there are no good enough guides and everyone uses it on Linux…

Thank you for reading

Suricata (Stable) version 6.0.19

Windows 10

                --== Initialization Complete ==--

I found the solution:
I installed the software from the competition.
It was much simpler, without so much error
  , ,_
o"     )~
   ’ ’ ’ ’