Before you start
================
An up to date version of this document can be found online:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Windows
Alternatively, an installation document for using CYGWIN instead of MinGW can
be found here:
https://redmine.openinfosecfoundation.org/attachments/download/676/SurWinInstallGuide.pdf
This file describes how to build and run Suricata on Windows. Currently
Windows XP and above are supported.
Preparing the build environment
===============================
1. Setup MinGW environment from http://mingw.org
Do not use the automatic installer as it is deprecated. Manually unpack
the following packages to c:\mingw (use newer versions if you like):
* binutils
o binutils-2.20<EFBFBD> 1-mingw32-bin.tar.gz
* mingw-runtime (dev and dll):
o mingwrt-3.17-mingw32-dll.tar.gz
o mingwrt-3.17-mingw32-dev.tar.gz
* w32api
o w32api-3.14-mingw32-dev.tar.gz
* required runtime libraries for GCC (gmp, libiconv, MPFR and pthreads):
o gmp-4.2.4-mingw32-dll.tar.gz
o libiconv-1.13.1<EFBFBD> 1-mingw32-dll-2.tar.lzma
o mpfr-2.4.1-mingw32-dll.tar.gz
o pthreads-w32<33> 2.8.0-mingw32-dll.tar.gz
* gcc-core (bin and dll):
o gcc-core-4.4.0-mingw32-bin.tar.gz
o gcc-core-4.4.0-mingw32-dll.tar.gz
* make
o make-3.81<EFBFBD> 20090914-mingw32-bin.tar.gz
* zlib
o libz-1.2.3-1-mingw32-dll-1.tar.gz
o libz-1.2.3-1-mingw32-dev.tar.gz
2. Install MSYS
http://sourceforge.net/projects/mingw/files/
MSYS-1.0.11.exe (MSYS Base System)
msysDTK-1.0.1.exe (MSYS Suplementary Tools)
autoconf-2.63<EFBFBD> 1-msys-1.0.11-bin.tar.lzma
automake-1.11<EFBFBD> 1-msys-1.0.11-bin.tar.lzma
libtool-2.2.7a-1-msys-1.0.11-bin.tar.lzma
MSYS will ask questions during the installation:
Accept Post Install: [y]
MinGW Installed? : [y]
path to MinGW: [c:/MinGW]
3. Install pkg-config taken from http://wiki.videolan.org/Win32CompileMSYSNew#PKG-CONFIG
Download and extract the following into c:\Msys\1.0
http://ftp.gnome.org/pub/GNOME/binaries/win32/glib/2.18/glib_2.18.2-1_win32.zip
ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config_0.23-3_win32.zip
ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config-dev_0.23-3_win32.zip
Set PKG_CONFIG_PATH=/win32/lib/pkgconfig
(e.g. by adding the Windows enviroment variable PKG_CONFIG_PATH in "Control Panel"->"System"->"Advanced System Settings"->"Environment Variables" and setting the value to /win32/lib/pkgconfig)
4. Get git
Download portable GIT from this URL:
http://code.google.com/p/msysgit/
- unpack to /msys/1.0
- don't forget to edit your ~/.gitconfig to at least give youreself a name :-)
5. Get libpcre
http://www.pcre.org/
./configure --enable-utf8 --disable-cpp --prefix=/mingw
make
make install
6. Get libyaml
http://pyyaml.org/wiki/LibYAML
It does not support mingw compilation. However it works in static mode:
./configure --prefix=/mingw CFLAGS="-DYAML_DECLARE_STATIC"
make
make install
7. Get libpcap
Guide can be found here:
- Download Devlopers pack http://www.winpcap.org/devel.htm
- Download and install a coresponding installer package http://www.winpcap.org/install/default.htm (to have the driver in the system)
- Copy includes to c:/mingw/include and libs (.a) to c:/mingw/lib
- Rename libwpcap to libpcap
8. Get and compile Suricata
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
Because of some weird autools port bug we do the following:
dos2unix.exe libhtp/configure.ac
dos2unix.exe libhtp/htp.pc.in
dos2unix.exe libhtp/Makefile.am
./autogen.sh
./configure CFLAGS="-DYAML_DECLARE_STATIC"
# add --enable-nfqueue as parameter to configure to enable inline mode
make
If everything goes well, you'll end up with suricata.exe in src/.lib. To test it
you will need libpcre-0.dll, libz-1.dll, and pthreadGC2.dll which you already have somewhere
under c:/mingw or c:/msys. To prepare the runtime environment:
- copy the executable and the DLLs to a dedicated directory
- get there classification.config and suricata.yaml
- edit suricata.yaml (at least set the directories correctly)
PCAP Mode
=========
Make sure you have winpcap runtime and driver installed and then:
- determine your eth device UUID in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
- now cross your fingers and do:
suricata.exe -c suricata.yaml -i \DEVICE\{your device uuid}
Inline Mode
===========
You need to downoad, compile and install netfilterforwin (the netfilter.sys
driver and Windows port of the libnetfilter_queue library):
1. Download and install Windows Driver Kit from Microsoft
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff
2. Download netfilterforwin
http://sourceforge.net/projects/netfilterforwin/
Unpack it so the netfilterforwin directory (omit the version from its name)
is beside the oisf directory.
3. Compile the driver
- Open the build environment from you Start menu:
Start->All Programs->windows Driver Kits->WDK xxxx.yyyy.z->Build Environments
->Windows Server 2003->x86 Free Build Environment
(or the one which is proper for your system)
- cd to netfilterforwin/netfilter
- enter command:
nmake
4. Install the driver
- copy inf/* files and the freshly built netfilter.sys to a separate directory
- open network connecions
- right-click an interface, select properties
- click install...
- select service
- click add
- click 'have disk...'
- browse to the directory with the inf files and netfilter.sys, select netfilter.inf anc click ok
- confirm everything
You should have the driver installed now.
5. Run Suricata in inline mode:
suricata.exe -c suricata.yaml -q 0
