windowsinlineintrusion-detectionsuricata

Suricata Windows inline mode


I'm setting up Suricata on Windows. I can test the inline mode but when I try to put it in inline mode so I can drop instead of alert. The problem is I get the error, cannot find the NF Queue. I first tried the automatic installation, but this way it seems impossible to use Suricata inline.

Is there anyone who successfully managed to put Snort for Windows in inline mode, please help me out.


Solution

  • At some point a library netfilter4win existed, but it's long dead. This library could be used to run Suricata in IPS mode on Windows.

    We currently have no IPS mode on Windows. There is one possible option though. There is netmap support for Cygwin here https://github.com/luigirizzo/netmap/tree/master/WINDOWS

    Suricata does work in IPS mode with netmap on FreeBSD. Possibly this will work with Suricata in IPS mode on Windows as well.

    We're tracking that here https://redmine.openinfosecfoundation.org/issues/1752