How to install Suricata with Hyperscan pattern matching in 10 easy steps. 

1. Get the latest kernels & headers then reboot to make the update active:

yum clean all
yum update
shutdown -r now


2. Add EPEL repo:

yum install epel-release
yum update

3. Install useful troubleshooting tools:

yum install net-tools pciutils psmisc screen tar tcpdump wget


4. Install Developer Tools needed for compiling and installing code:

yum group install "Development Tools"


5. Install RUST:

curl -sf -L https://static.rust-lang.org/rustup.sh |sh
Choose 1 to continue with default installation


6. TCMALLOC Install (OPTIONAL)
‘tcmalloc’ is a library Google created as part of the google-perftools suite for improving memory handling in a threaded program.  It leads to minor speed ups and also reduces memory usage quite a bit.

yum install gperftools-libs

Change your startup to look similar to this - LD_PRELOAD="/usr/lib64/libtcmalloc_minimal.so.4" suricata -c suricata.yaml -i eth0


7. Install other general prerequisites -

yum install bzip2-devel cmake cargo file-devel GeoIP-devel jansson-devel kernel-devel libcap-ng-devel  \

            libdnet libnet-devel libnetfilter_queue-devel libpcap-devel libyaml-devel lua-devel lz4-devel  \

            lzma ncurses-devel nss-devel pcre-devel python-devel python-yaml ragel sqlite-devel xz-devel luajit luajit-devel


BUILD HYPERSCAN - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan
"Hyperscan is a high-performance multiple regex matching library." https://01.org/hyperscan - In Suricata it is used to perform multi pattern matching (mpm). Support was implemented by Justin Viiret and Jim Xu from Intel.


8. Download and compile Boost headers

Check for current version at https://sourceforge.net/projects/boost/files/boost/

wget https://sourceforge.net/projects/boost/files/boost/1.70.0/boost_1_70_0.tar.bz2
tar zxvf boost_1_70_0.tar.gz
cd boost_1_70_0
./bootstrap.sh
./b2


9. Install Hyperscan - From <http://01org.github.io/hyperscan/dev-reference/getting_started.html> 


wget ttps://codeload.github.com/intel/hyperscan/zip/master
unzip master
mv hyperscan-master hyperscan
cd hyperscan
mkdir build
cd build
ln -s boost_1_70_0/boost /usr/local/src/hyperscan/include/boost_1_70_0/ ../
cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/usr/local/src/boost_1_70_0/ ../
make
sudo make install


10. Build & Install SURICATA - Download source code and install Suricata

wget https://www.openinfosecfoundation.org/download/suricata-4.1.5.tar.gz
tar -zxvf suricata-4.1.5.tar.gz
cd suricata-4.1.5

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib64/ --with-liblzma-includes=/usr/include/ --with-liblzma-libraries=/usr/lib64 --enable-gccprotect --enable-gccprofile --enable-gccmarch-native --enable-lua --enable-geoip --enable-rust --enable-unix-socket

make
sudo make install

ldconfig