diff options
Diffstat (limited to 'doc/userguide/setting-up-ipsinline-for-windows.rst')
| -rw-r--r-- | doc/userguide/setting-up-ipsinline-for-windows.rst | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/doc/userguide/setting-up-ipsinline-for-windows.rst b/doc/userguide/setting-up-ipsinline-for-windows.rst new file mode 100644 index 0000000..0581e83 --- /dev/null +++ b/doc/userguide/setting-up-ipsinline-for-windows.rst @@ -0,0 +1,69 @@ +Setting up IPS/inline for Windows
+=================================
+
+This guide explains how to work with Suricata in layer 4 inline mode using
+WinDivert on Windows.
+
+First start by compiling Suricata with WinDivert support. For instructions, see
+`Windows Installation
+<https://redmine.openinfosecfoundation.org/attachments/download/1175/SuricataWinInstallationGuide_v1.4.3.pdf>`_.
+This documentation has not yet been updated with WinDivert information, so make
+sure to add the following flags before configuring Suricata with ``configure``:
+
+::
+
+ --enable-windivert=yes --with-windivert-include=<include-dir> --with-windivert-libraries=<libraries-dir>
+
+WinDivert.dll and WinDivert.sys must be in the same directory as the Suricata
+executable. WinDivert automatically installs the driver when it is run. For more
+information about WinDivert, see https://www.reqrypt.org/windivert-doc.html.
+
+To check if you have WinDivert enabled in your Suricata, enter the following
+command in an elevated command prompt or terminal:
+
+::
+
+ suricata -c suricata.yaml --windivert [filter string]
+
+For information on the WinDivert filter language, see
+https://www.reqrypt.org/windivert-doc.html#filter_language
+
+If Suricata is running on a gateway and is meant to protect the network behind
+that gateway, you need to run WinDivert at the `NETWORK_FORWARD` layer. This can
+be achieved using the following command:
+
+::
+
+ suricata -c suricata.yaml --windivert-forward [filter string]
+
+The filter is automatically stopped and normal traffic resumes when Suricata is
+stopped.
+
+A quick start is to examine all traffic, in which case you can use the following
+command:
+
+::
+
+ suricata -c suricata.yaml --windivert[-forward] true
+
+A few additional examples:
+
+Only TCP traffic:
+
+::
+
+ suricata -c suricata.yaml --windivert tcp
+
+
+Only TCP traffic on port 80:
+
+::
+
+ suricata -c suricata.yaml --windivert "tcp.DstPort == 80"
+
+
+TCP and ICMP traffic:
+
+::
+
+ suricata -c suricata.yaml --windivert "tcp or icmp"
|