<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:MITRE;
        panose-1:4 11 114 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Segoe UI";
        panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
        {font-family:"Segoe UI Light";
        panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
h3
        {mso-style-priority:9;
        mso-style-link:"Heading 3 Char";
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:13.5pt;
        font-family:"Times New Roman",serif;
        font-weight:bold;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.Heading3Char
        {mso-style-name:"Heading 3 Char";
        mso-style-priority:9;
        mso-style-link:"Heading 3";
        font-family:"Calibri Light",sans-serif;
        color:#1F4D78;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-style-priority:99;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Further but not there yet.  Boost ended with this –
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">...failed updating 2 targets...<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">...skipped 6 targets...<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">...updated 1126 targets...<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Scrolling back I did find these errors but I am not sure if they are relevant or not –
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">...failed gcc.compile.c++ bin.v2/libs/sync/build/gcc-4.8.5/release/link-static/threading-multi/tss_pthread.o…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> ...skipped <pbin.v2/libs/sync/build/gcc-4.8.5/release/threading-multi>libboost_sync.so.1.63.0 for lack of <pbin.v2/libs/sync/build/gcc-4.8.5/release/threading-multi>tss_pthread.o…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Spransy, Derek [mailto:dsprans@emory.edu]
<br>
<b>Sent:</b> Tuesday, March 28, 2017 14:24 PM<br>
<b>To:</b> Cloherty, Sean E <scloherty@mitre.org>; oisf-users@lists.openinfosecfoundation.org<br>
<b>Subject:</b> Re: Hyperscan on RHEL or CentOS<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div id="divtagdefaultwrapper">
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/home/<user>/boost_1_60_0/ ../</span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<div>
<div>
<div>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">- No problem. As I recall I had some trouble at this step as well, but ultimately figured it out. </span><span style="color:black"><o:p></o:p></span></p>
<p><span style="color:black"><o:p> </o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Two follow up questions if I could –
</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">1.  Does it matter what directory you are in when you invoke git for the Hyperscan package?</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">- No, just as long as you have the requisite permissions.</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">2.  Does/Should the boost directory be in a specific users’ home directory (like the account that you use to run Suricata), or is it not consequential at all?</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">- This shouldn't make any difference either, as long as you have permissions. I run pretty much everything out of my home folder when doing this type of work.</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Spransy, Derek [</span><a href="mailto:dsprans@emory.edu"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">mailto:dsprans@emory.edu</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">]
<br>
<b>Sent:</b> Tuesday, March 28, 2017 12:21 PM<br>
<b>To:</b> Cloherty, Sean E <</span><a href="mailto:scloherty@mitre.org"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">scloherty@mitre.org</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">>;
</span><a href="mailto:oisf-users@lists.openinfosecfoundation.org"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">oisf-users@lists.openinfosecfoundation.org</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><br>
<b>Subject:</b> Re: Hyperscan on RHEL or CentOS</span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
<p><span style="color:black"> <o:p></o:p></span></p>
<div id="divtagdefaultwrapper">
<p><span style="font-family:"Calibri",sans-serif;color:black">These are my notes from installing HS and pf_ring support on RHEL 7.<o:p></o:p></span></p>
<h3 style="margin-bottom:0in;margin-bottom:.0001pt" id="SuricataDocumentation-snortappprod3-InstallwithIntelHyperscanEnabled">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Install with Intel Hyperscan Enabled</span><span style="color:black"><o:p></o:p></span></h3>
<p><u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Install pre-requisites</span></u><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">sudo yum install cmake gcc-c++ python-devel</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Download ragel, unpack, ./configure, make, sudo make install</span><span style="color:black"><o:p></o:p></span></p>
<p><u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Download and compile boost headers</span></u><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Download boost 1.60</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">tar xvzf boost_1_60_0.tar.gz</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">cd boost_1_60_0</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">./bootstrap.sh</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">./b2</span><span style="color:black"><o:p></o:p></span></p>
<p><u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Install Hyperscan</span></u><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">git clone </span><a href="https://github.com/01org/hyperscan"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#326CA6;text-decoration:none">https://github.com/01org/hyperscan</span></a><span style="color:black"><o:p></o:p></span></p>
<div style="margin-bottom:15.0pt;overflow:auto" id="LPBorder_GT_14907253191500.525941784736337">
<table class="MsoNormalTable" border="1" cellspacing="0" cellpadding="0" width="90%" style="width:90.0%;background:white;border-top:dotted #C8C8C8 1.0pt;border-left:none;border-bottom:dotted #C8C8C8 1.0pt;border-right:none">
<tbody>
<tr>
<td width="250" valign="top" style="width:187.5pt;border:none;padding:15.0pt 15.0pt 15.0pt .75pt">
<div style="margin-top:5.0pt;margin-bottom:5.0pt;display:table" id="LPImageContainer_14907253191470.17915849189600253">
<p class="MsoNormal" style="margin-top:15.0pt;background:white"><a href="https://github.com/01org/hyperscan" target="_blank"><span style="text-decoration:none"><img border="0" width="250" height="250" style="width:2.6041in;height:2.6041in" id="_x0000_i1028" src="https://avatars3.githubusercontent.com/u/1635439?v=3&s=400" alt="https://avatars3.githubusercontent.com/u/1635439?v=3&s=400"></span></a><o:p></o:p></p>
</div>
</td>
<td valign="top" style="border:none;padding:0in 0in 0in 0in;display:table-cell" id="TextCell_14907253191480.039976545536115404">
<div id="LPTitle_14907253191490.4607019303592852">
<p class="MsoNormal" style="margin-top:15.0pt;line-height:15.75pt"><a href="https://github.com/01org/hyperscan" target="_blank"><span style="font-size:16.0pt;font-family:"Segoe UI Light",sans-serif;text-decoration:none">GitHub - 01org/hyperscan: High-performance
 regular ...</span></a><span style="font-size:16.0pt;font-family:"Segoe UI Light",sans-serif;color:#002878"><o:p></o:p></span></p>
</div>
<div style="margin-top:7.5pt;margin-bottom:12.0pt" id="LPMetadata_14907253191490.5829615333255154">
<p class="MsoNormal" style="margin-top:15.0pt;line-height:10.5pt"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#666666">github.com<o:p></o:p></span></p>
</div>
<div id="LPDescription_14907253191500.6612632107399623">
<p class="MsoNormal" style="margin-top:15.0pt;line-height:15.0pt"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;color:#666666">README.md Hyperscan. Hyperscan is a high-performance multiple regex matching library. It follows the regular expression
 syntax of the commonly-used libpcre library ...<o:p></o:p></span></p>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">cd hyperscan</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">mkdir build</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">cd build</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/home/<user>/boost_1_60_0/ ../</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">make</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">sudo make install</span><span style="color:black"><o:p></o:p></span></p>
<p><u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Compile Suricate with HS and PF_RING support</span></u><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">./configure --prefix=/usr --sysconfdir=/etc --enable-pfring --with-libpfring-includes=/usr/local/include --with-libpfring-libraries=/usr/local/lib --with-libnspr-includes=/usr/include/nspr4/
 --with-libnspr-libraries=/usr/include/nspr4/ --with-libcap_ng-libraries=/usr/local/lib --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">mpm-algo and spm-algo values in suricata.yaml must be set to 'auto' or 'hs'</span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p><span style="font-family:"Calibri",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">
<hr size="2" width="98%" align="center">
</span></div>
<div id="divRplyFwdMsg">
<p><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Oisf-users <</span><a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">oisf-users-bounces@lists.openinfosecfoundation.org</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">>
 on behalf of Cloherty, Sean E <</span><a href="mailto:scloherty@mitre.org"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">scloherty@mitre.org</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">><br>
<b>Sent:</b> Tuesday, March 28, 2017 12:15 PM<br>
<b>To:</b> </span><a href="mailto:oisf-users@lists.openinfosecfoundation.org"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">oisf-users@lists.openinfosecfoundation.org</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><br>
<b>Subject:</b> [Oisf-users] Hyperscan on RHEL or CentOS</span><span style="font-family:"Calibri",sans-serif;color:black">
</span><span style="color:black"><o:p></o:p></span></p>
<div>
<p><span style="font-family:"Calibri",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Has anyone got instructions for installing Hyperscan on RHEL/CentOS?  I’ve tried a few times now and it seems like I get fairly close, but I’ve not been able to compile Suricata
 with Hyperscan.  I know that it is something I am completing incorrectly but have not been able to figure it out.   Are there files or configuration changes that I can check at the end of the install to see if it was completed correctly prior to compiling
 Suricata?</span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Thanks.</span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Sean Cloherty</span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">InfoSec Engineer/Scientist, Lead</span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:MITRE;color:#2E74B5">MITRE</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Corporation</span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">office (781) 271-3707</span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">cell      (781) 697-8043</span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p><span style="color:black"> <o:p></o:p></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span style="color:black">
<hr size="2" width="100%" align="center">
</span></div>
<p><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray"><br>
This e-mail message (including any attachments) is for the sole use of<br>
the intended recipient(s) and may contain confidential and privileged<br>
information. If the reader of this message is not the intended<br>
recipient, you are hereby notified that any dissemination, distribution<br>
or copying of this message (including any attachments) is strictly<br>
prohibited.<br>
<br>
If you have received this message in error, please contact<br>
the sender by reply e-mail message and destroy all copies of the<br>
original message (including attachments).</span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>