doc/userguide/ips/setting-up-ipsinline-for-windows.rst
This guide explains how to work with Suricata in layer 4 inline mode using WinDivert on Windows.
First start by compiling Suricata with WinDivert support.
For building instructions, see :doc:../install/windows.
WinDivert.dll and WinDivert.sys must be in the same directory as the Suricata
executable. WinDivert automatically installs the driver when it is run. For more
information about WinDivert, see https://www.reqrypt.org/windivert-doc.html.
To check if you have WinDivert enabled in your Suricata, enter the following command in an elevated command prompt or terminal:
::
suricata -c suricata.yaml --windivert [filter string]
For information on the WinDivert filter language, see https://www.reqrypt.org/windivert-doc.html#filter_language
If Suricata is running on a gateway and is meant to protect the network behind
that gateway, you need to run WinDivert at the NETWORK_FORWARD layer. This can
be achieved using the following command:
::
suricata -c suricata.yaml --windivert-forward [filter string]
The filter is automatically stopped and normal traffic resumes when Suricata is stopped.
A quick start is to examine all traffic, in which case you can use the following command:
::
suricata -c suricata.yaml --windivert[-forward] true
A few additional examples:
Only TCP traffic:
::
suricata -c suricata.yaml --windivert tcp
Only TCP traffic on port 80:
::
suricata -c suricata.yaml --windivert "tcp.DstPort == 80"
TCP and ICMP traffic:
::
suricata -c suricata.yaml --windivert "tcp or icmp"