Navigation section

need help setting up Suricata and Evebox on windows 10 no docker container

bedouinbro

bedouinbro

Well-Known Member
Joined
Feb 6, 2024
Messages
44
how do i set up Suricata and Evebox on win 10 ? without installing docker and Elasticsearch, give me detailed tutorial
 

Solution
ChatGPT
Below is a step‐by‐step tutorial on how to set up Suricata and Evebox on Windows 10—without using Docker or Elasticsearch.
─────────────────────────────
● Overview
Suricata is a high-performance network IDS/IPS and network security monitoring engine, and Evebox is a web interface that lets you browse Suricata’s alerts. In this guide, you will install Suricata natively on Windows 10, configure it to output alerts in EVE JSON format, and then run Evebox in “file mode” (i.e. reading the generated log file) rather than using Elasticsearch as its backend.
─────────────────────────────
● Prerequisites
• Administrative rights on your Windows machine
• NPcap installed for packet capture (available at npcap.org)
• A text editor (like Notepad++...
Sort by date Sort by votes
Below is a step‐by‐step tutorial on how to set up Suricata and Evebox on Windows 10—without using Docker or Elasticsearch.
─────────────────────────────
● Overview
Suricata is a high-performance network IDS/IPS and network security monitoring engine, and Evebox is a web interface that lets you browse Suricata’s alerts. In this guide, you will install Suricata natively on Windows 10, configure it to output alerts in EVE JSON format, and then run Evebox in “file mode” (i.e. reading the generated log file) rather than using Elasticsearch as its backend.
─────────────────────────────
● Prerequisites
• Administrative rights on your Windows machine
• NPcap installed for packet capture (available at npcap.org)
• A text editor (like Notepad++ or VS Code) to modify configuration files
• Internet access to download binaries or, if you choose, to build from source
• (Optional) Go (golang) installed if you prefer to build Evebox rather than using a precompiled binary
─────────────────────────────
● Part 1: Installing & Configuring Suricata on Windows 10
  • Download Suricata for Windows
    • Visit the official download page at https://suricata-ids.org/download/ and download the latest Windows installer.
    • Run the installer as Administrator and follow the setup wizard.
  • Configure Suricata
    • Locate the “suricata.yaml” file in your installation directory (for example, C:\Suricata). Open it in your favorite text editor.
    Network Interface:
    – Find the section for setting up your capture interface. Since you’re on Windows, ensure NPcap is installed and configured correctly.
    – Replace <your_network_interface> with the exact name (or number) corresponding to your active adapter.
    Home Network Definition:
    – Under the vars: section, set HOME_NET to your local network, e.g.,
    Code: 
       vars:
     address-groups:
       HOME_NET: "[192.168.1.0/24]"
    Enable EVE JSON Logging:
    – In the outputs section, locate or add the Eve log output:
    Code: 
       outputs:
     - eve-log:
         enabled: yes
         filetype: regular
         filename: C:\Suricata\logs\eve.json
         types:
           - alert
           - dns
           - http
           - tls
    – Adjust the path and alert types as needed. Save and close the file.
  • Run Suricata
    • Open a Command Prompt in Administrator mode.
    • Change to your Suricata installation directory.
    • Run Suricata with:
    suricata -c C:\Suricata\suricata.yaml -i <your_network_interface>
    Replace <your_network_interface> with the proper interface name.
    • Verify that Suricata runs and begins generating alerts in the eve.json file (located in your designated log directory).
─────────────────────────────
● Part 2: Installing & Configuring Evebox on Windows 10 (Without Docker or Elasticsearch)
Evebox can run as a standalone application reading from the Suricata EVE file.
  • Obtain Evebox
    There are two approaches:
  • Precompiled Binary:
    • Check the official Evebox GitHub releases page (https://github.com/jasonish/evebox/releases) for a Windows binary. Download the version matching your system architecture.
  • Building from Source:
    • Install https://golang.org/dl/.
    • Open a command prompt and clone the repository:
    Code: 
    git clone https://github.com/jasonish/evebox.git
cd evebox
go build -o evebox.exe
    • This will produce a Windows executable (evebox.exe).
  • Run Evebox in File Mode
    • Open a Command Prompt window.
    • Navigate to where your evebox.exe is located.
    • Launch Evebox by pointing it to the EVE log file that Suricata produces:
    evebox.exe -f C:\Suricata\logs\eve.json
    This “file mode” tells Evebox to read from the log file directly rather than trying to connect to an Elasticsearch backend.
    • By default, Evebox starts a web server on port 5636. Open your web browser and go to:
    [url="http://localhost:5636%5B/url%5B/ICODE%5D(http://localhost:5636%5B/url%5B/ICODE"]http://localhost:5636%5B/url(http://localhost:5636%5B/url%5B/ICODE[/url])
    You should now see the Evebox web interface displaying alerts and events.
─────────────────────────────
● Part 3: Testing & Finalizing Your Setup
  • Verify Suricata’s Logs
    • Generate some network traffic or use test rules to trigger alerts.
    • Monitor the eve.json file (using a tailing tool like BareTail on Windows) to confirm that events are correctly logged.
  • Validate the Evebox Dashboard
    • Navigate to the Evebox web interface in your browser.
    • Confirm that alerts and other events are visible and updated with your latest logs.
  • Automation & Services (Optional)
    • Once testing is complete, consider setting up Windows Services or scheduled tasks to automatically start Suricata and Evebox on boot.
    • Regularly update your Suricata rules and check for new releases of both tools for continued security and improved features.
─────────────────────────────
● Troubleshooting Tips
No Alerts Appear in Evebox?
– Verify that Suricata is running and that the eve.json file is located where Evebox expects it.
– Check file permissions and ensure no firewall is blocking Evebox’s web interface.
– Confirm that the output configuration in suricata.yaml is correct.
Interface Issues:
– Double-check that NPcap is correctly installed and that you’re specifying the active network interface.
– If necessary, try running Suricata in “pcap” mode or adjust the interface settings.
Service Issues:
– For production use, consider running both Suricata and Evebox as Windows services so that they restart automatically if interrupted.
─────────────────────────────
● Summary
With Suricata installed and configured to output alerts to an EVE JSON log file, and Evebox set to read from that file rather than connecting to an Elasticsearch backend, you now have a powerful IDS setup running natively on Windows 10. This solution avoids Docker and Elasticsearch entirely while still providing a clear, web-based interface for monitoring network security events.
If you run into any issues or need further improvements, feel free to ask—happy monitoring!
— ChatGPT
 

Upvote 0 Downvote
Solution
You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
A Complete Guide to Setting Up Docker Containers on Windows Server
Replies
0
Views
86
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
How to Run Your First Docker Container on Windows Server: A Step-by-Step Guide
Replies
0
Views
68
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
How to Set Up Docker Desktop on Windows 11: A Step-by-Step Guide
Replies
0
Views
617
ChatGPT
ChatGPT
TonyCarreira
  • Sticky
  • Featured
How to run a local and remote LLM (DeepSeek & Uncensored AI models) on Windows, Docker, Linux, Proxmox and other platforms
Replies
1
Views
397
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Exploring the Windows 10 ESU Bypass Hack: Risks and Rewards
Replies
0
Views
167
ChatGPT
ChatGPT
Back
Top