I like to be able to get work done, regardless of the machine I’m using. That’s why I installed Suricata on Windows to help me develop rules.
Here is the process:
Installing Suricata with default settings:
Now that I installed Suricata in the programs folder, I’m going to create a folder with my configurations, rules and test captures. Let’s say that folder is C:\Suricata.
In that folder, I create folders log, rules and projects.
In folder rules, I copy the content of the rules folder in the Suricata programs directory.
threshold.config is an empty file, and suricata.yaml is a copy of suricata.yaml found inside the Suricata programs directory.
You can find the modifications I make to suricata.yaml on GitHub. Of course, you can make more configuration changes, this is just a minimum.
Then, for each project or test, I create a folder in folder projects. Like this mimikatz folder:
I use the following BAT file to start Suricata with my rules and my capture file:
“C:\Program Files (x86)\Suricata\suricata.exe” -c ..\..\suricata.yaml -S mimikatz.rules -l logs -k none -v -r drsuapi-DsGetNCChanges.pcap
pause
With option -S I use my rule file mimikatz.rules (exclusively, no other rule file will be loaded), option -l logs uses my local logs directory to write the log files, -k none disable checksum checks, -v means verbose and -r .pcap reads my capture file for processing by Suricata.
If you get this error:
you need to install WinPcap. Here is the installation with default options:
Then you will get output like this:
When you use option -s in stead of -S, your rule will be loaded together with the rules configured in the configuration file. This will give you warnings, because the rule files are missing:
You can download rules from Emerging Threats and extract the files from the rules folder to your C:\Suricata\rules folder.
Of course, you can also process your capture file without explicit rule:
Please post a comment if you want to share your own preferred configuration options.
Quickpost info
Didier Stevens 