suricata/doc/INSTALL.WINDOWS

Before you start
================

An up to date version of this document can be found online:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Windows

Alternatively, an installation document for using CYGWIN instead of MinGW can
be found here:
https://redmine.openinfosecfoundation.org/attachments/download/676/SurWinInstallGuide.pdf

This file describes how to build and run Suricata on Windows. Currently
Windows XP and above are supported.


Preparing the build environment
===============================

1. Setup MinGW environment from http://mingw.org

Do not use the automatic installer as it is deprecated. Manually unpack
the following packages to c:\mingw (use newer versions if you like):

    * binutils
          o binutils-2.20–1-mingw32-bin.tar.gz
    * mingw-runtime (dev and dll):
          o mingwrt-3.17-mingw32-dll.tar.gz
          o mingwrt-3.17-mingw32-dev.tar.gz
    * w32api
          o w32api-3.14-mingw32-dev.tar.gz
    * required runtime libraries for GCC (gmp, libiconv, MPFR and pthreads):
          o gmp-4.2.4-mingw32-dll.tar.gz
          o libiconv-1.13.1–1-mingw32-dll-2.tar.lzma
          o mpfr-2.4.1-mingw32-dll.tar.gz
          o pthreads-w32–2.8.0-mingw32-dll.tar.gz
    * gcc-core (bin and dll):
          o gcc-core-4.4.0-mingw32-bin.tar.gz
          o gcc-core-4.4.0-mingw32-dll.tar.gz
    * make
          o make-3.81–20090914-mingw32-bin.tar.gz
    * zlib
          o libz-1.2.3-1-mingw32-dll-1.tar.gz
	  o libz-1.2.3-1-mingw32-dev.tar.gz

2. Install MSYS

    http://sourceforge.net/projects/mingw/files/

    MSYS-1.0.11.exe (MSYS Base System)
    msysDTK-1.0.1.exe (MSYS Suplementary Tools)
    autoconf-2.63–1-msys-1.0.11-bin.tar.lzma
    automake-1.11–1-msys-1.0.11-bin.tar.lzma
    libtool-2.2.7a-1-msys-1.0.11-bin.tar.lzma

    MSYS will ask questions during the installation:
    Accept Post Install: [y]
    MinGW Installed? :   [y]
    path to MinGW:       [c:/MinGW]

3. Install pkg-config taken from http://wiki.videolan.org/Win32CompileMSYSNew#PKG-CONFIG
   Download and extract the following into c:\Msys\1.0
   http://ftp.gnome.org/pub/GNOME/binaries/win32/glib/2.18/glib_2.18.2-1_win32.zip
   ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config_0.23-3_win32.zip
   ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config-dev_0.23-3_win32.zip

   Set PKG_CONFIG_PATH=/win32/lib/pkgconfig

   (e.g. by adding the Windows enviroment variable PKG_CONFIG_PATH in "Control Panel"->"System"->"Advanced System Settings"->"Environment Variables" and setting the value to /win32/lib/pkgconfig)


4. Get git

    Download portable GIT from this URL:
    http://code.google.com/p/msysgit/

    - unpack to /msys/1.0
    - don't forget to edit your ~/.gitconfig to at least give youreself a name :-)

5. Get libpcre2

    http://www.pcre.org/

    ./configure --enable-utf8 --disable-cpp --prefix=/mingw
    make
    make install

6. Get libyaml

    http://pyyaml.org/wiki/LibYAML

    It does not support mingw compilation. However it works in static mode:

    ./configure --prefix=/mingw CFLAGS="-DYAML_DECLARE_STATIC"
    make
    make install

7. Get libpcap

    Guide can be found here:
    - Download Devlopers pack http://www.winpcap.org/devel.htm
    - Download and install a coresponding installer package http://www.winpcap.org/install/default.htm (to have the driver in the system)
    - Copy includes to c:/mingw/include and libs (.a) to c:/mingw/lib
    - Rename libwpcap to libpcap

8. Get and compile Suricata

    git clone git://phalanx.openinfosecfoundation.org/oisf.git
    cd oisf

    Because of some weird autools port bug we do the following:
    dos2unix.exe libhtp/configure.ac
    dos2unix.exe libhtp/htp.pc.in
    dos2unix.exe libhtp/Makefile.am

    ./autogen.sh
    ./configure CFLAGS="-DYAML_DECLARE_STATIC"
	# add --enable-nfqueue as parameter to configure to enable inline mode
    make

If everything goes well, you'll end up with suricata.exe in src/.lib. To test it
you will need libpcre2-0.dll, libz-1.dll, and pthreadGC2.dll which you already have somewhere
under c:/mingw or c:/msys. To prepare the runtime environment:

    - copy the executable and the DLLs to a dedicated directory
    - get there classification.config and suricata.yaml
    - edit suricata.yaml (at least set the directories correctly)

PCAP Mode
=========

Make sure you have winpcap runtime and driver installed and then:

    - determine your eth device UUID in the registry:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
    - now cross your fingers and do:
        suricata.exe -c suricata.yaml -i \DEVICE\{your device uuid}


Inline Mode
===========

You need to downoad, compile and install netfilterforwin (the netfilter.sys
driver and Windows port of the libnetfilter_queue library):

1. Download and install Windows Driver Kit from Microsoft

    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff

2. Download netfilterforwin

    http://sourceforge.net/projects/netfilterforwin/

	Unpack it so the netfilterforwin directory (omit the version from its name)
	is beside the oisf directory.

3. Compile the driver

    - Open the build environment from you Start menu:
        Start->All Programs->windows Driver Kits->WDK xxxx.yyyy.z->Build Environments
            ->Windows Server 2003->x86 Free Build Environment
        (or the one which is proper for your system)
    - cd to netfilterforwin/netfilter
    - enter command:
        nmake

4. Install the driver

    - copy inf/* files and the freshly built netfilter.sys to a separate directory
    - open network connecions
	- right-click an interface, select properties
	- click install...
	- select service
	- click add
	- click 'have disk...'
	- browse to the directory with the inf files and netfilter.sys, select netfilter.inf anc click ok
	- confirm everything

	You should have the driver installed now.

5. Run Suricata in inline mode:

    suricata.exe -c suricata.yaml -q 0