[Oisf-users] High Suricata capture.kernel_drops

Thu Jul 12 14:35:22 UTC 2018

Thanks for forwarding the instructions, I will recompile Suricata with
HyperScan support and see if that helps reduce the kernel_drops.

Thanks,
Fatema.

On Thu, Jul 12, 2018 at 9:47 AM, Cloherty, Sean E <scloherty at mitre.org>
wrote:

> Forwarding you the instructions from Derek Spransy which helped me get
> Hyperscan installed on CentOS.
>
>
>
> *From:* Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.
> org] *On Behalf Of *fatema bannatwala
> *Sent:* Wednesday, July 11, 2018 13:51 PM
> *To:* eric at regit.org
> *Cc:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* Re: [Oisf-users] High Suricata capture.kernel_drops
>
>
>
> Hi Eric,
>
>
>
> While installing Suricata, didn't know about HS capability, and it was
> disabled and hence not installed by default while installing suricata from
> source.
>
> Later I got to know about it, it would be really good to have the
> recommended features documented in the Suricata documentation for the
> beginners to know which options to use and enable while installation for
> better performance. :(
>
>
>
> Thanks,
>
> Fatema.
>
>
>
>
> ---------- Forwarded message ----------
> From: "Spransy, Derek" <dsprans at emory.edu>
> To: "Cloherty, Sean E" <scloherty at mitre.org>, "
> oisf-users at lists.openinfosecfoundation.org" <
> oisf-users at lists.openinfosecfoundation.org>
> Cc:
> Bcc:
> Date: Tue, 28 Mar 2017 16:20:47 +0000
> Subject: Re: Hyperscan on RHEL or CentOS
>
> These are my notes from installing HS and pf_ring support on RHEL 7.
>
> Install with Intel Hyperscan Enabled
>
> *Install pre-requisites*
>
> sudo yum install cmake gcc-c++ python-devel
>
> Download ragel, unpack, ./configure, make, sudo make install
>
> *Download and compile boost headers*
>
> Download boost 1.60
>
> tar xvzf boost_1_60_0.tar.gz
>
> cd boost_1_60_0
>
> ./bootstrap.sh
>
> ./b2
>
> *Install Hyperscan*
>
> git clone https://github.com/01org/hyperscan
>
> cd hyperscan
>
> mkdir build
>
> cd build
>
> cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/home//boost_1_60_0/ ../
>
> make
>
> sudo make install
>
> *Compile Suricate with HS and PF_RING support*
>
> ./configure --prefix=/usr --sysconfdir=/etc --enable-pfring
> --with-libpfring-includes=/usr/local/include --with-libpfring-libraries=/usr/local/lib
> --with-libnspr-includes=/usr/include/nspr4/ --with-libnspr-libraries=/usr/include/nspr4/
> --with-libcap_ng-libraries=/usr/local/lib --with-libhs-includes=/usr/local/include/hs/
> --with-libhs-libraries=/usr/local/lib/
>
> mpm-algo and spm-algo values in suricata.yaml must be set to 'auto' or 'hs'
>
>
>
> ------------------------------
> *From:* Oisf-users on behalf of Cloherty, Sean E
> *Sent:* Tuesday, March 28, 2017 12:15 PM
> *To:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* [Oisf-users] Hyperscan on RHEL or CentOS
>
> Has anyone got instructions for installing Hyperscan on RHEL/CentOS? I’ve
> tried a few times now and it seems like I get fairly close, but I’ve not
> been able to compile Suricata with Hyperscan. I know that it is something I
> am completing incorrectly but have not been able to figure it out. Are
> there files or configuration changes that I can check at the end of the
> install to see if it was completed correctly prior to compiling Suricata?
>
> Thanks.
>
> Sean Cloherty
>
> InfoSec Engineer/Scientist, Lead
>
> MITRE Corporation
>
> office (781) 271-3707
>
> cell (781) 697-8043
>
>
> ------------------------------
>
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
>
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180712/2b78b463/attachment-0001.html>