
<div dir="ltr">Ah Nevermind.  Copied the library so in /lib64 folder and it was found by ldd.<div><br></div><div>Thanks,</div><div>Fatema.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 18, 2018 at 4:57 PM, fatema bannatwala <span dir="ltr"><<a href="mailto:fatema.bannatwala@gmail.com" target="_blank">fatema.bannatwala@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">So trying to install HyperScan and then compile Suricata with HS lib.<div>Suricata can't link to the libhs.so.5 library, any ideas why?</div><div><br></div><div>Followed the steps mentioned, just had to yum install 


<span style="color:rgb(0,0,0);font-family:Verdana,Arial,"Bitstream Vera Sans",Helvetica,sans-serif;text-align:left;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">l</span>ibquadmath-devel, but other than that everything was pretty much installed as per the documented steps.</div><div>And then compiled Suricata with " --with-libhs-includes=/usr/<wbr>local/include/hs --with-libhs-libraries=/usr/<wbr>local/lib64" additional options.</div><div><br></div><div><div>$ ldd /usr/local/suricata/4.0.4/bin/<wbr>suricata</div><div>        linux-vdso.so.1 =>  (0x00007ffe1e797000)</div><div>        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f62aee7b000)</div><div>        libhtp.so.2 => /usr/local/suricata/4.0.4/lib/<wbr>libhtp.so.2 (0x00007f62aec5a000)</div><div>        librt.so.1 => /lib64/librt.so.1 (0x00007f62aea52000)</div><div>        libm.so.6 => /lib64/libm.so.6 (0x00007f62ae750000)</div><div>        libmagic.so.1 => /lib64/libmagic.so.1 (0x00007f62ae533000)</div><div>        libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f62ae32d000)</div><div>        libpfring.so => /usr/local/pfring/6.6.0/lib/<wbr>libpfring.so (0x00007f62ae0b9000)</div><div>        libpcap.so.1 => /usr/local/pfring/6.6.0/lib/<wbr>libpcap.so.1 (0x00007f62ade06000)</div><div>        libnet.so.1 => /lib64/libnet.so.1 (0x00007f62adbec000)</div><div>        libjansson.so.4 => /lib64/libjansson.so.4 (0x00007f62ad9df000)</div><div>        libyaml-0.so.2 => /lib64/libyaml-0.so.2 (0x00007f62ad7bf000)</div><div>        <b>libhs.so.5 => not found</b></div><div>        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f62ad55d000)</div><div>        libssl3.so => /lib64/libssl3.so (0x00007f62ad30b000)</div><div>        libsmime3.so => /lib64/libsmime3.so (0x00007f62ad0e4000)</div><div>        libnss3.so => /lib64/libnss3.so (0x00007f62acdb7000)</div><div>        libnssutil3.so => /lib64/libnssutil3.so (0x00007f62acb88000)</div><div>        libplds4.so => /lib64/libplds4.so (0x00007f62ac984000)</div><div>        libplc4.so => /lib64/libplc4.so (0x00007f62ac77f000)</div><div>        libnspr4.so => /lib64/libnspr4.so (0x00007f62ac541000)</div><div>        libdl.so.2 => /lib64/libdl.so.2 (0x00007f62ac33d000)</div><div>        libc.so.6 => /lib64/libc.so.6 (0x00007f62abf70000)</div><div>        /lib64/ld-linux-x86-64.so.2 (0x00007f62af097000)</div><div>        libz.so.1 => /lib64/libz.so.1 (0x00007f62abd5a000)</div></div><div><br></div><div>But it's there in /usr/local/lib64/ folder:</div><div><div>$ ls /usr/local/lib64/</div><div>libhs.a          libhs_runtime.so    libhs_runtime.so.5.0.0  libhs.so.5      pkgconfig</div><div>libhs_runtime.a  libhs_runtime.so.5  libhs.so                libhs.so.5.0.0</div></div><div><br></div><div>What am I missing?</div><div><br></div><div>Thanks,</div><div>Fatema.</div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Thu, Jul 12, 2018 at 9:47 AM, Cloherty, Sean E <span dir="ltr"><<a href="mailto:scloherty@mitre.org" target="_blank">scloherty@mitre.org</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">


<div lang="EN-US" link="#0563C1" vlink="#954F72">

<div class="m_-1605179516373911987m_-6149345565417331440WordSection1">

<p class="MsoNormal">Forwarding you the instructions from Derek Spransy which helped me get Hyperscan installed on CentOS. 

<u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal"><span><b>From:</b> Oisf-users [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org" target="_blank">oisf-users-bounces@lis<wbr>ts.openinfosecfoundation.org</a>]

<b>On Behalf Of </b>fatema bannatwala<br>

</span><b>Sent:</b> Wednesday, July 11, 2018 13:51 PM<br>

<b>To:</b> <a href="mailto:eric@regit.org" target="_blank">eric@regit.org</a><span><br>

<b>Cc:</b> <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfo<wbr>undation.org</a><br>

<b>Subject:</b> Re: [Oisf-users] High Suricata capture.kernel_drops<u></u><u></u></span></p>

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<p class="MsoNormal">Hi Eric,<u></u><u></u></p><div><div class="m_-1605179516373911987h5">

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">While installing Suricata, didn't know about HS capability, and it was disabled and hence not installed by default while installing suricata from source.<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">Later I got to know about it, it would be really good to have the recommended features documented in the Suricata documentation for the beginners to know which options to use and enable while installation for better performance. :(<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">Thanks,<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">Fatema.<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

</div></div></div>

</div>

</div>


<br><br></div></div><div><div class="h5">---------- Forwarded message ----------<br>From: "Spransy, Derek" <<a href="mailto:dsprans@emory.edu" target="_blank">dsprans@emory.edu</a>><br>To: "Cloherty, Sean E" <<a href="mailto:scloherty@mitre.org" target="_blank">scloherty@mitre.org</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.<wbr>openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.<wbr>openinfosecfoundation.org</a>><br>Cc: <br>Bcc: <br>Date: Tue, 28 Mar 2017 16:20:47 +0000<br>Subject: Re: Hyperscan on RHEL or CentOS<br>


<div dir="ltr">

<div id="m_-1605179516373911987m_1688041191579296835divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">

<p>These are my notes from installing HS and pf_ring support on RHEL 7.</p>

<p></p>

<h3 class="m_-1605179516373911987m_1688041191579296835p2" id="m_-1605179516373911987m_1688041191579296835SuricataDocumentation-snortappprod3-InstallwithIntelHyperscanEnabled" style="margin:30px 0px 0px;padding:0px;font-size:16px;line-height:1.5;font-family:Arial,sans-serif">

Install with Intel Hyperscan Enabled</h3>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<u><span class="m_-1605179516373911987m_1688041191579296835s1">Install pre-requisites</span></u></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">sudo yum install cmake gcc-c++ python-devel</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">Download ragel, unpack, ./configure, make, sudo make install</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p2" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<u>Download and compile boost headers</u></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">Download boost 1.60</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">tar xvzf boost_1_60_0.tar.gz</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">cd boost_1_60_0</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">./bootstrap.sh</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">./b2</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p2" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<u>Install Hyperscan</u></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">git clone <a href="https://github.com/01org/hyperscan" class="m_-1605179516373911987m_1688041191579296835external-link" rel="nofollow" style="color:rgb(50,108,166);text-decoration:none" id="m_-1605179516373911987m_1688041191579296835LPlnk963466" target="_blank">

https://github.com/01org/hyper<wbr>scan</a></span><br>

</p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">cd hyperscan</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">mkdir build</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">cd build</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p3" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s2">cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/home/<u></u>/boost_1_60<wbr>_0/ ../</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">make</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p1" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s1">sudo make install</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p2" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<u>Compile Suricate with HS and PF_RING support</u></p>

<p class="m_-1605179516373911987m_1688041191579296835p3" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s2">./</span><span class="m_-1605179516373911987m_1688041191579296835s3">configure</span><span class="m_-1605179516373911987m_1688041191579296835s2"> --prefix=/usr --sysconfdir=/etc --enable-pfring --with-libpfring-includes=/usr<wbr>/local/include --with-libpfring-libraries=/us<wbr>r/local/lib --with-libnspr-includes=/usr/i<wbr>nclude/nspr4/ --with-libnspr-libraries=/usr/<wbr>include/nspr4/

 --with-libcap_ng-libraries=/us<wbr>r/local/lib --with-libhs-includes=/usr/loc<wbr>al/include/hs/ --with-libhs-libraries=/usr/lo<wbr>cal/lib/</span></p>

<p class="m_-1605179516373911987m_1688041191579296835p3" style="margin-top:10px;margin-right:0px;margin-left:0px;padding:0px;color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">

<span class="m_-1605179516373911987m_1688041191579296835s2">mpm-algo and spm-algo values in suricata.yaml must be set to 'auto' or 'hs'</span></p>

<br>

<p></p>

<div id="m_-1605179516373911987m_1688041191579296835Signature">

<div id="m_-1605179516373911987m_1688041191579296835divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif">

<div id="m_-1605179516373911987m_1688041191579296835divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif">

</div>

</div>

</div>

<br>

<br>

<div style="color:rgb(0,0,0)">

<hr style="display:inline-block;width:98%">

<div id="m_-1605179516373911987m_1688041191579296835divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Oisf-users

<u></u>on behalf of Cloherty, Sean E

<u></u><br>

<b>Sent:</b> Tuesday, March 28, 2017 12:15 PM<br>

<b>To:</b> <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfo<wbr>undation.org</a><br>

<b>Subject:</b> [Oisf-users] Hyperscan on RHEL or CentOS</font>

<div></div>

</div>

<div>

<div>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

Has anyone got instructions for installing Hyperscan on RHEL/CentOS? I’ve tried a few times now and it seems like I get fairly close, but I’ve not been able to compile Suricata with Hyperscan. I know that it is something I am completing incorrectly but have

 not been able to figure it out. Are there files or configuration changes that I can check at the end of the install to see if it was completed correctly prior to compiling Suricata?</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

Thanks.</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

Sean Cloherty</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

InfoSec Engineer/Scientist, Lead</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

<span style="font-family:MITRE;color:#2e74b5">MITRE</span> Corporation</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

office (781) 271-3707</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

cell (781) 697-8043</p>

<p style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">

</p>

</div>

</div>

</div>

</div>

<br>

<hr>

<font face="Arial" color="Gray" size="1"><br>

This e-mail message (including any attachments) is for the sole use of<br>

the intended recipient(s) and may contain confidential and privileged<br>

information. If the reader of this message is not the intended<br>

recipient, you are hereby notified that any dissemination, distribution<br>

or copying of this message (including any attachments) is strictly<br>

prohibited.<br>

<br>

If you have received this message in error, please contact<br>

the sender by reply e-mail message and destroy all copies of the<br>

original message (including attachments).<br>

</font>

</div>


<br></div></div></blockquote></div><br></div>

</blockquote></div><br></div>