How to configure Suricata-IDS in IPS mode in Windows Server 2019?

Help
,
1

Hello,
I installed Suricata-IDS and Npcap in Windows Server 2019 and I want to use it in IPS mode. My Windows use IIS and Microsoft SQL Server and I want to protect them. I have some questions:

1- I want Suricata-IDS runs as a service on Windows OS like Linux and protect my system automatically. I did below command:

Suricata-1
Suricata-1874×84 9.3 KB

But, Suricata-IDS can’t run as a service:

Suricata-2

Why?

2- In Linux, the NIC name is something like “eth0”, but in Windows OS it is not. Should I use IP address instead of NIC name?

3- In Linux, I created below line to enable IPS mode, how about Windows OS?

# cat /etc/suricata/drop.conf 
re: ET.CNC
re: ET.DOS
re: ET.DROP
re: ET.ACTIVEX
re: ET.COINMINER
re: ET.SCAN
re: ET.SHELLCODE
re: ET.ATTACK_RESPONSE
re: ET.WEB_SERVER

4- Can I define a new port to protect? In the suricata.yaml file, I see below sections:

port-groups:
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21
    GENEVE_PORTS: 6081
    VXLAN_PORTS: 4789
    TEREDO_PORTS: 3544
...
        - ftp
        - rdp
        - nfs
        - smb
        - tftp
        - ikev2
        - dcerpc
        - krb5
        - snmp
        - rfb
        - sip

Can I define something like below?

MY_PROGRAM_PORTS: "65535"
...
- my_program:
            enabled: yes

Thank you.

2

Hi,

For windows, the command line to activate Suricata as a service is this:

suricata -c suricata.yaml -i 192.168.1.102 -l ./log -knone -vvv --service-install

net start suricata

I don’t know if there will be another way, but the IPS mode for Windows is done with Windivert.

> runas / user: Administrator "cmd"
> meerkat -c meerkat.yaml -vv --windiver tcp

(drop.rules)
drop tcp any any -> any any (msg: "Google"; content: "google"; classtype: misc-activity; sid: 393981460; rev: 1;)

DthHrGOWwAAEPOf
DthHrGOWwAAEPOf1341×597 55.3 KB

https://suricata.readthedocs.io/en/suricata-6.0.0/setting-up-ipsinline-for-windows.html

1 Like
3

Thank you.
Why you used -i 192.168.1.102 when you can set it in the suricata.yaml file?
Can I use below command:

C:\> suricata -c suricata.yaml --windivert -l ./log -knone -vvv --service-install
C:\> net start suricata

If I don’t specific a protocol then both of TCP and UDP protocols used?

4

Hello ,

I indicate the IP out of habit :wink:

Regarding the protocols, yes.

1 Like
5

Thank you.
I set my IP address in the suricata.yaml file and did below command:

C:\> suricata -c suricata.yaml --windivert -l ./log -knone -vvv --service-install

But I got below error:

suricata: unknown option -- windivert

6

Hi,

There are some drivers that must be installed:

Web:

https://reqrypt.org/windivert.html

:wink:

1 Like
7

Thanks.
I downloaded the WinDivert-2.2.0-A.zip file, and copied the files as the document said:

WinDivert.dll and WinDivert.sys must be in the same directory as the Suricata executable.

But, I got the same error.

8

I did:

C:\Program Files\Suricata>suricata -c suricata.yaml windivert -l ./log -knone -vvv --service-install
24/8/2021 -- 15:21:57 - <Info> - Running as service: no
24/8/2021 -- 15:21:57 - <Error> - [ERRCODE: SC_ERR_SVC(162)] - Can't open SCM: 5

How to solve it?

9

Hí,

https://www.reqrypt.org/windivert-doc.html#installing

( The WinDivert driver is automatically (and silently) installed on demand whenever your application calls WinDivertOpen() . The calling application must have Administrator privileges)

1 Like
11

Why I got below error?
URL

12

Hi,

suricata -c suricata.yaml windivert -l ./log -knone -vvv -i 10.0.2.15 (NO)

:point_down:

suricata -c suricata.yaml --windivert tcp -l ./log -knone -vvv -i 10.0.2.15

(Run as administrator).

1 Like
13

Thanks.
I run my “cmd.exe” as administrator and -- doesn’t work.

14

Hí,

Share here the output with the error.

1 Like
15

Hi,
The output is:

C:\Program Files\Suricata>suricata -c suricata.yaml --windivert tcp -l ./log -knone -vvv -i 10.0.2.15
28/8/2021 -- 10:07:18 - <Info> - Running as service: no
suricata: unknown option -- windivert
Suricata 6.0.1
...
16

Hi,

In previous versions it was not like that, it was compiled with Windivert:

First start by compiling Suricata with WinDivert support. For instructions, see Windows Installation. This documentation has not yet been updated with WinDivert information, so make sure to add the following flags before configuring Suricata with configure.

17

We have a windivert enabled windows msi package as well.
Will feedback.

1 Like
18

Hí,

Thanks pevma, I found it:

https://www.openinfosecfoundation.org/downloads/windows/Suricata-6.0.3-windivert-1-64bit.msi

There you have it. Now it should work correctly,
Hack3rcon

1 Like
19

Ok, thank you for the feedback.

1 Like
20

Hi,
Thank you.
I downloaded https://www.openinfosecfoundation.org/downloads/windows/Suricata-6.0.3-windivert-1-64bit.msi file and installed it.
The output is:

C:\Program Files\Suricata>suricata -c suricata.yaml --windivert tcp -l ./log -knone -vvv --service-install
31/8/2021 -- 17:04:21 - <Info> - Running as service: no
31/8/2021 -- 17:04:21 - <Error> - [ERRCODE: SC_ERR_SVC(162)] - Can't create service: 1073
21

Hi,

Try before running without installing install service.
When you want to run as a service, it has to be as Administrator.

Will you also have to indicate the IP?

suricata -c suricata.yaml -i 192.168.1.102 -l ./log -knone -vvv --service-install

net start Suricata

To make the IPS mode work with Windivert, you will also have to create a series of drop rules and r them in a rules file to be read from suricata.yaml

1 Like