[people/ms/suricata.git] / doc / userguide / setting-up-ipsinline-for-windows.rst

Setting up IPS/inline for Windows\r
=================================\r
\r
This guide explains how to work with Suricata in layer 4 inline mode using\r
WinDivert on Windows.\r
\r
First start by compiling Suricata with WinDivert support. For instructions, see\r
`Windows Installation\r
<https://redmine.openinfosecfoundation.org/attachments/download/1175/SuricataWinInstallationGuide_v1.4.3.pdf>`_.\r
This documentation has not yet been updated with WinDivert information, so make\r
sure to add the following flags before configuring Suricata with ``configure``:\r
\r
::\r
  \r
  --enable-windivert=yes --with-windivert-include=<include-dir> --with-windivert-libraries=<libraries-dir>\r
\r
WinDivert.dll and WinDivert.sys must be in the same directory as the Suricata\r
executable. WinDivert automatically installs the driver when it is run. For more\r
information about WinDivert, see https://www.reqrypt.org/windivert-doc.html.\r
\r
To check if you have WinDivert enabled in your Suricata, enter the following\r
command in an elevated command prompt or terminal:\r
\r
::\r
  \r
  suricata -c suricata.yaml --windivert [filter string]\r
\r
For information on the WinDivert filter language, see\r
https://www.reqrypt.org/windivert-doc.html#filter_language\r
\r
If Suricata is running on a gateway and is meant to protect the network behind\r
that gateway, you need to run WinDivert at the `NETWORK_FORWARD` layer. This can\r
be achieved using the following command:\r
\r
::\r
\r
  suricata -c suricata.yaml --windivert-forward [filter string]\r
\r
The filter is automatically stopped and normal traffic resumes when Suricata is\r
stopped.\r
\r
A quick start is to examine all traffic, in which case you can use the following\r
command:\r
\r
::\r
  \r
  suricata -c suricata.yaml --windivert[-forward] true\r
\r
A few additional examples:\r
\r
Only TCP traffic:\r
\r
::\r
\r
  suricata -c suricata.yaml --windivert tcp\r
\r
\r
Only TCP traffic on port 80:\r
\r
::\r
\r
  suricata -c suricata.yaml --windivert "tcp.DstPort == 80"\r
\r
\r
TCP and ICMP traffic:\r
\r
::\r
\r
  suricata -c suricata.yaml --windivert "tcp or icmp"\r
Commit	Line	Data
ec77632e JMS	1	Setting up IPS/inline for Windows\r
	2	=================================\r
	3	\r
	4	This guide explains how to work with Suricata in layer 4 inline mode using\r
	5	WinDivert on Windows.\r
	6	\r
	7	First start by compiling Suricata with WinDivert support. For instructions, see\r
	8	`Windows Installation\r
	9	<https://redmine.openinfosecfoundation.org/attachments/download/1175/SuricataWinInstallationGuide_v1.4.3.pdf>`_.\r
	10	This documentation has not yet been updated with WinDivert information, so make\r
06f41f60	11	sure to add the following flags before configuring Suricata with ``configure``:\r
ec77632e JMS	12	\r
	13	::\r
	14	\r
	15	--enable-windivert=yes --with-windivert-include=<include-dir> --with-windivert-libraries=<libraries-dir>\r
	16	\r
	17	WinDivert.dll and WinDivert.sys must be in the same directory as the Suricata\r
	18	executable. WinDivert automatically installs the driver when it is run. For more\r
	19	information about WinDivert, see https://www.reqrypt.org/windivert-doc.html.\r
	20	\r
	21	To check if you have WinDivert enabled in your Suricata, enter the following\r
	22	command in an elevated command prompt or terminal:\r
	23	\r
	24	::\r
	25	\r
	26	suricata -c suricata.yaml --windivert [filter string]\r
	27	\r
	28	For information on the WinDivert filter language, see\r
	29	https://www.reqrypt.org/windivert-doc.html#filter_language\r
	30	\r
	31	If Suricata is running on a gateway and is meant to protect the network behind\r
06f41f60	32	that gateway, you need to run WinDivert at the `NETWORK_FORWARD` layer. This can\r
ec77632e JMS	33	be achieved using the following command:\r
	34	\r
	35	::\r
	36	\r
	37	suricata -c suricata.yaml --windivert-forward [filter string]\r
	38	\r
	39	The filter is automatically stopped and normal traffic resumes when Suricata is\r
	40	stopped.\r
	41	\r
	42	A quick start is to examine all traffic, in which case you can use the following\r
	43	command:\r
	44	\r
	45	::\r
	46	\r
	47	suricata -c suricata.yaml --windivert[-forward] true\r
	48	\r
	49	A few additional examples:\r
	50	\r
	51	Only TCP traffic:\r
06f41f60	52	\r
ec77632e JMS	53	::\r
	54	\r
	55	suricata -c suricata.yaml --windivert tcp\r
	56	\r
06f41f60	57	\r
ec77632e	58	Only TCP traffic on port 80:\r
06f41f60	59	\r
ec77632e JMS	60	::\r
	61	\r
	62	suricata -c suricata.yaml --windivert "tcp.DstPort == 80"\r
	63	\r
06f41f60	64	\r
ec77632e	65	TCP and ICMP traffic:\r
06f41f60	66	\r
ec77632e JMS	67	::\r
ec77632e JMS	68	\r
06f41f60	69	suricata -c suricata.yaml --windivert "tcp or icmp"\r