]>
Commit | Line | Data |
---|---|---|
ec77632e JMS |
1 | Setting up IPS/inline for Windows\r |
2 | =================================\r | |
3 | \r | |
4 | This guide explains how to work with Suricata in layer 4 inline mode using\r | |
5 | WinDivert on Windows.\r | |
6 | \r | |
7 | First start by compiling Suricata with WinDivert support. For instructions, see\r | |
8 | `Windows Installation\r | |
9 | <https://redmine.openinfosecfoundation.org/attachments/download/1175/SuricataWinInstallationGuide_v1.4.3.pdf>`_.\r | |
10 | This documentation has not yet been updated with WinDivert information, so make\r | |
06f41f60 | 11 | sure to add the following flags before configuring Suricata with ``configure``:\r |
ec77632e JMS |
12 | \r |
13 | ::\r | |
14 | \r | |
15 | --enable-windivert=yes --with-windivert-include=<include-dir> --with-windivert-libraries=<libraries-dir>\r | |
16 | \r | |
17 | WinDivert.dll and WinDivert.sys must be in the same directory as the Suricata\r | |
18 | executable. WinDivert automatically installs the driver when it is run. For more\r | |
19 | information about WinDivert, see https://www.reqrypt.org/windivert-doc.html.\r | |
20 | \r | |
21 | To check if you have WinDivert enabled in your Suricata, enter the following\r | |
22 | command in an elevated command prompt or terminal:\r | |
23 | \r | |
24 | ::\r | |
25 | \r | |
26 | suricata -c suricata.yaml --windivert [filter string]\r | |
27 | \r | |
28 | For information on the WinDivert filter language, see\r | |
29 | https://www.reqrypt.org/windivert-doc.html#filter_language\r | |
30 | \r | |
31 | If Suricata is running on a gateway and is meant to protect the network behind\r | |
06f41f60 | 32 | that gateway, you need to run WinDivert at the `NETWORK_FORWARD` layer. This can\r |
ec77632e JMS |
33 | be achieved using the following command:\r |
34 | \r | |
35 | ::\r | |
36 | \r | |
37 | suricata -c suricata.yaml --windivert-forward [filter string]\r | |
38 | \r | |
39 | The filter is automatically stopped and normal traffic resumes when Suricata is\r | |
40 | stopped.\r | |
41 | \r | |
42 | A quick start is to examine all traffic, in which case you can use the following\r | |
43 | command:\r | |
44 | \r | |
45 | ::\r | |
46 | \r | |
47 | suricata -c suricata.yaml --windivert[-forward] true\r | |
48 | \r | |
49 | A few additional examples:\r | |
50 | \r | |
51 | Only TCP traffic:\r | |
06f41f60 | 52 | \r |
ec77632e JMS |
53 | ::\r |
54 | \r | |
55 | suricata -c suricata.yaml --windivert tcp\r | |
56 | \r | |
06f41f60 | 57 | \r |
ec77632e | 58 | Only TCP traffic on port 80:\r |
06f41f60 | 59 | \r |
ec77632e JMS |
60 | ::\r |
61 | \r | |
62 | suricata -c suricata.yaml --windivert "tcp.DstPort == 80"\r | |
63 | \r | |
06f41f60 | 64 | \r |
ec77632e | 65 | TCP and ICMP traffic:\r |
06f41f60 | 66 | \r |
ec77632e JMS |
67 | ::\r |
68 | \r | |
06f41f60 | 69 | suricata -c suricata.yaml --windivert "tcp or icmp"\r |