How to install Suricata with Hyperscan pattern matching on CentOS 8 (Basic Server Install) in 10 easy steps. I. INSTALL SURICATA PREREQUISITES 1. Enable EPEL & CentOS-PowerTools repos, update to latest kernels & headers, & reboot: Edit the /etc/yum.repos.d/CentOS-PowerTools.repo and /etc/yum.repos.d/epel.repo files so that enabled=1 for the desired repo yum clean all yum update reboot -r now 2. Install Developer Tools needed for compiling and other useful software: yum group install "Development Tools" yum install htop hwloc net-tools pciutils psmisc screen tar tcpdump wget *If you checked Standard Server Tools during install then net-tools, pciutils, tar, tcpdump, and wget are already installed and you need only do yum install htop, hwloc, psmisc, and screen 3. Install RUST: Choose one of these three methods - a. yum install rust b. curl -sf -L https://static.rust-lang.org/rustup.sh |sh Choose 1 to continue with default installation c. For hosts without internet access, use the standalone installers found here - https://forge.rust-lang.org/infra/other-installation-methods.html . For RHEL / CentOS on standard x86_64 choose the link labeled "x86_64-unknown-linux-gnu" tar zxvf rust-#.##.#-x86_64-unknown-linux-gnu.tar.gz cd rust-#.##.#-x86_64-unknown-linux-gnu.tar.gz sudo ./install.sh 4. Install TCMALLOC (OPTIONAL) ‘tcmalloc’ is a library Google created as part of the google-perftools suite for improving memory handling in a threaded program. It leads to minor speed ups and can reduces memory usage. yum install gperftools-libs Change your Suricata startup to look similar to this - LD_PRELOAD="/usr/lib64/libtcmalloc_minimal.so.4" suricata -c suricata.yaml -i eth0 5. Install other general prerequisites - yum install bzip2-devel cmake cargo file-devel jansson-devel kernel-devel libpcap-devel libcap-ng-devel libmaxminddb-devel libdnet libnet-devel libnetfilter_queue-devel libpcap-devel libyaml-devel lua-devel luajit luajit-devel lzma lz4-devel ncurses-devel nss-devel pcre-devel python3-devel python3-devel python3-yaml rust-toolset sqlite-devel xz-devel sqlite-devel xz-devel zlib-devel II. BUILD HYPERSCAN - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan "Hyperscan is a high-performance multiple regex matching library." https://01.org/hyperscan - In Suricata it is used to perform multi pattern matching (mpm). Support was implemented by Justin Viiret and Jim Xu from Intel. Download and compile Hyperscan Requirements - Colm, Ragel, Boost 6, COLM - Check for current version at http://www.colm.net/open-source/colm/ wget http://www.colm.net/files/colm/colm-0.12.0.tar.gz tar zxvf colm-0.12.0.tar.gz cd colm-0.12.0 ./configure make && make install 7. RAGEL- Check for current version at http://www.colm.net/open-source/ragel/ wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz tar zxvf ragel-6.10.tar.gz cd ragel-6.10 ./configure make && make install 8. BOOST- Check for current version at https://sourceforge.net/projects/boost/files/boost/ wget https://sourceforge.net/projects/boost/files/boost/1.70.0/boost_1_70_0.tar.gz tar zxvf boost_1_70_0.tar.gz cd boost_1_70_0 ./bootstrap.sh ./b2 9. Download and Compile HYPERSCAN - From http://intel.github.io/hyperscan/dev-reference/ wget https://github.com/intel/hyperscan/archive/master.zip unzip master mv hyperscan-master hyperscan cd hyperscan mkdir build cd build ln -s boost_1_70_0/boost /usr/local/src/hyperscan/include/boost_1_70_0/ ../ cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/usr/local/src/boost_1_70_0/ ../ make sudo make install III. BUILD SURICATA 10. Compile & Install SURICATA - Download source code and install Suricata wget wget https://www.openinfosecfoundation.org/download/suricata-5.0.0.tar.gz tar zxvf suricata-5.0.0.tar.gz cd suricata-5.0.0 ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib64/ --with-liblzma-includes=/usr/include/ --with-liblzma-libraries=/usr/lib64 --enable-gccprotect --enable-gccprofile --enable-gccmarch-native --enable-geoip --enable-rust --enable-unix-socket --enable-luajit make && make install *** may need to add /usr/local/lib64 to ldconfig conf folder. ldconfig