<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:MITRE;
panose-1:4 11 114 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Times New Roman",serif;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri Light",sans-serif;
color:#1F4D78;}
p.p1, li.p1, div.p1
{mso-style-name:p1;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.s1
{mso-style-name:s1;}
p.p2, li.p2, div.p2
{mso-style-name:p2;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.p3, li.p3, div.p3
{mso-style-name:p3;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.s2
{mso-style-name:s2;}
span.s3
{mso-style-name:s3;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Excellent! Thank you Derek – looking at your notes I think I’ve figured out where my problem is. This line what I was not getting right so it threw everything else off -><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="p3" style="margin-top:7.5pt"><span class="s2"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/home/<user>/boost_1_60_0/ ../</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Two follow up questions if I could –
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">1. Does it matter what directory you are in when you invoke git for the Hyperscan package?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">2. Does/Should the boost directory be in a specific users’ home directory (like the account that you use to run Suricata), or is it not consequential at all?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Much appreciated.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Sean<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Spransy, Derek [mailto:dsprans@emory.edu]
<br>
<b>Sent:</b> Tuesday, March 28, 2017 12:21 PM<br>
<b>To:</b> Cloherty, Sean E <scloherty@mitre.org>; oisf-users@lists.openinfosecfoundation.org<br>
<b>Subject:</b> Re: Hyperscan on RHEL or CentOS<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div id="divtagdefaultwrapper">
<p><span style="font-family:"Calibri",sans-serif;color:black">These are my notes from installing HS and pf_ring support on RHEL 7.<o:p></o:p></span></p>
<h3 style="mso-margin-top-alt:22.5pt;margin-right:0in;margin-bottom:0in;margin-left:0in;margin-bottom:.0001pt" id="SuricataDocumentation-snortappprod3-InstallwithIntelHyperscanEnabled">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Install with Intel Hyperscan Enabled<o:p></o:p></span></h3>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Install pre-requisites</span></u></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">sudo yum install cmake gcc-c++ python-devel</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Download ragel, unpack, ./configure, make, sudo make install</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p2" style="margin-top:7.5pt"><u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Download and compile boost headers</span></u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Download boost 1.60</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">tar xvzf boost_1_60_0.tar.gz</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">cd boost_1_60_0</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">./bootstrap.sh</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">./b2</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p2" style="margin-top:7.5pt"><u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Install Hyperscan</span></u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">git clone <a href="https://github.com/01org/hyperscan"><span style="color:#326CA6;text-decoration:none">https://github.com/01org/hyperscan</span></a></span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">cd hyperscan</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">mkdir build</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">cd build</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p3" style="margin-top:7.5pt"><span class="s2"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/home/<user>/boost_1_60_0/ ../</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">make</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p1" style="margin-top:7.5pt"><span class="s1"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">sudo make install</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p2" style="margin-top:7.5pt"><u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Compile Suricate with HS and PF_RING support</span></u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p3" style="margin-top:7.5pt"><span class="s2"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">./</span></span><span class="s3"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">configure</span></span><span class="s2"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"> --prefix=/usr
--sysconfdir=/etc --enable-pfring --with-libpfring-includes=/usr/local/include --with-libpfring-libraries=/usr/local/lib --with-libnspr-includes=/usr/include/nspr4/ --with-libnspr-libraries=/usr/include/nspr4/ --with-libcap_ng-libraries=/usr/local/lib --with-libhs-includes=/usr/local/include/hs/
--with-libhs-libraries=/usr/local/lib/</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="p3" style="margin-top:7.5pt"><span class="s2"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">mpm-algo and spm-algo values in suricata.yaml must be set to 'auto' or 'hs'</span></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">
<hr size="2" width="98%" align="center">
</span></div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Oisf-users <<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a>>
on behalf of Cloherty, Sean E <<a href="mailto:scloherty@mitre.org">scloherty@mitre.org</a>><br>
<b>Sent:</b> Tuesday, March 28, 2017 12:15 PM<br>
<b>To:</b> <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
<b>Subject:</b> [Oisf-users] Hyperscan on RHEL or CentOS</span><span style="font-family:"Calibri",sans-serif;color:black">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Has anyone got instructions for installing Hyperscan on RHEL/CentOS? I’ve tried a few times now and it seems like I get fairly close, but I’ve not been able to compile Suricata
with Hyperscan. I know that it is something I am completing incorrectly but have not been able to figure it out. Are there files or configuration changes that I can check at the end of the install to see if it was completed correctly prior to compiling
Suricata?<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> <o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Thanks.<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> <o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Sean Cloherty<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">InfoSec Engineer/Scientist, Lead<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:MITRE;color:#2E74B5">MITRE</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Corporation<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">office (781) 271-3707<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">cell (781) 697-8043<o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray"><br>
This e-mail message (including any attachments) is for the sole use of<br>
the intended recipient(s) and may contain confidential and privileged<br>
information. If the reader of this message is not the intended<br>
recipient, you are hereby notified that any dissemination, distribution<br>
or copying of this message (including any attachments) is strictly<br>
prohibited.<br>
<br>
If you have received this message in error, please contact<br>
the sender by reply e-mail message and destroy all copies of the<br>
original message (including attachments).</span><o:p></o:p></p>
</div>
</body>
</html>