
<div dir="ltr">Thanks for forwarding the instructions, I will recompile Suricata with HyperScan support and see if that helps reduce the kernel_drops.<div><br></div><div>Thanks,</div><div>Fatema.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 12, 2018 at 9:47 AM, Cloherty, Sean E <span dir="ltr"><<a href="mailto:scloherty@mitre.org" target="_blank">scloherty@mitre.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div lang="EN-US" link="#0563C1" vlink="#954F72">

<div class="m_3594186318099023884WordSection1">

<p class="MsoNormal">Forwarding you the instructions from Derek Spransy which helped me get Hyperscan installed on CentOS. 

<u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal"><span class=""><b>From:</b> Oisf-users [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org" target="_blank">oisf-users-bounces@<wbr>lists.openinfosecfoundation.<wbr>org</a>]

<b>On Behalf Of </b>fatema bannatwala<br>

</span><b>Sent:</b> Wednesday, July 11, 2018 13:51 PM<br>

<b>To:</b> <a href="mailto:eric@regit.org" target="_blank">eric@regit.org</a><span class=""><br>

<b>Cc:</b> <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.<wbr>openinfosecfoundation.org</a><br>

<b>Subject:</b> Re: [Oisf-users] High Suricata capture.kernel_drops<u></u><u></u></span></p>

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<p class="MsoNormal">Hi Eric,<u></u><u></u></p><div><div class="h5">

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">While installing Suricata, didn't know about HS capability, and it was disabled and hence not installed by default while installing suricata from source.<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">Later I got to know about it, it would be really good to have the recommended features documented in the Suricata documentation for the beginners to know which options to use and enable while installation for better performance. :(<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">Thanks,<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">Fatema.<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

</div></div></div>

</div>

</div>


<br><br>---------- Forwarded message ----------<br>From: "Spransy, Derek" <<a href="mailto:dsprans@emory.edu">dsprans@emory.edu</a>><br>To: "Cloherty, Sean E" <<a href="mailto:scloherty@mitre.org">scloherty@mitre.org</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br>Cc: <br>Bcc: <br>Date: Tue, 28 Mar 2017 16:20:47 +0000<br>Subject: Re: Hyperscan on RHEL or CentOS<br>


<div dir="ltr">

<div id="m_-4615353664389041517divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">

<p>These are my notes from installing HS and pf_ring support on RHEL 7.</p>

<p></p>

<h3 class="m_-4615353664389041517p2" id="m_-4615353664389041517SuricataDocumentation-snortappprod3-InstallwithIntelHyperscanEnabled" style="margin:30px 0px 0px;padding:0px;font-size:16px;line-height:1.5;font-family:Arial,sans-serif">

Install with Intel Hyperscan Enabled</h3>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<u><span class="m_-4615353664389041517s1">Install pre-requisites</span></u></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">sudo yum install cmake gcc-c++ python-devel</span></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">Download ragel, unpack, ./configure, make, sudo make install</span></p>

<p class="m_-4615353664389041517p2" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<u>Download and compile boost headers</u></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">Download boost 1.60</span></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">tar xvzf boost_1_60_0.tar.gz</span></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">cd boost_1_60_0</span></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">./bootstrap.sh</span></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">./b2</span></p>

<p class="m_-4615353664389041517p2" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<u>Install Hyperscan</u></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">git clone <a href="https://github.com/01org/hyperscan" class="m_-4615353664389041517external-link" rel="nofollow" style="color:rgb(50,108,166);text-decoration:none" id="m_-4615353664389041517LPlnk963466" target="_blank">

https://github.com/01org/<wbr>hyperscan</a></span><br>

</p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">cd hyperscan</span></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">mkdir build</span></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">cd build</span></p>

<p class="m_-4615353664389041517p3" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s2">cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/home/<u></u>/boost_1_<wbr>60_0/ ../</span></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">make</span></p>

<p class="m_-4615353664389041517p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s1">sudo make install</span></p>

<p class="m_-4615353664389041517p2" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<u>Compile Suricate with HS and PF_RING support</u></p>

<p class="m_-4615353664389041517p3" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s2">./</span><span class="m_-4615353664389041517s3">configure</span><span class="m_-4615353664389041517s2"> --prefix=/usr --sysconfdir=/etc --enable-pfring --with-libpfring-includes=/<wbr>usr/local/include --with-libpfring-libraries=/<wbr>usr/local/lib --with-libnspr-includes=/usr/<wbr>include/nspr4/ --with-libnspr-libraries=/usr/<wbr>include/nspr4/

 --with-libcap_ng-libraries=/<wbr>usr/local/lib --with-libhs-includes=/usr/<wbr>local/include/hs/ --with-libhs-libraries=/usr/<wbr>local/lib/</span></p>

<p class="m_-4615353664389041517p3" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-4615353664389041517s2">mpm-algo and spm-algo values in suricata.yaml must be set to 'auto' or 'hs'</span></p>

<br>

<p></p>

<div id="m_-4615353664389041517Signature">

<div id="m_-4615353664389041517divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif">

<div id="m_-4615353664389041517divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif">

</div>

</div>

</div>

<br>

<br>

<div style="color:rgb(0,0,0)">

<hr style="display:inline-block;width:98%">

<div id="m_-4615353664389041517divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Oisf-users

<u></u>on behalf of Cloherty, Sean E

<u></u><br>

<b>Sent:</b> Tuesday, March 28, 2017 12:15 PM<br>

<b>To:</b> <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.<wbr>openinfosecfoundation.org</a><br>

<b>Subject:</b> [Oisf-users] Hyperscan on RHEL or CentOS</font>

<div></div>

</div>

<div>

<div>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

Has anyone got instructions for installing Hyperscan on RHEL/CentOS? I’ve tried a few times now and it seems like I get fairly close, but I’ve not been able to compile Suricata with Hyperscan. I know that it is something I am completing incorrectly but have

 not been able to figure it out. Are there files or configuration changes that I can check at the end of the install to see if it was completed correctly prior to compiling Suricata?</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

Thanks.</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

Sean Cloherty</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

InfoSec Engineer/Scientist, Lead</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

<span style="font-family:MITRE;color:#2e74b5">MITRE</span> Corporation</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

office (781) 271-3707</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

cell (781) 697-8043</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

</p>

</div>

</div>

</div>

</div>

<br>

<hr>

<font face="Arial" color="Gray" size="1"><br>

This e-mail message (including any attachments) is for the sole use of<br>

the intended recipient(s) and may contain confidential and privileged<br>

information. If the reader of this message is not the intended<br>

recipient, you are hereby notified that any dissemination, distribution<br>

or copying of this message (including any attachments) is strictly<br>

prohibited.<br>

<br>

If you have received this message in error, please contact<br>

the sender by reply e-mail message and destroy all copies of the<br>

original message (including attachments).<br>

</font>

</div>


<br></blockquote></div><br></div>