[Oisf-users] High Suricata capture.kernel_drops

fatema bannatwala fatema.bannatwala at gmail.com
Wed Jul 18 20:57:03 UTC 2018 

So trying to install HyperScan and then compile Suricata with HS lib.
Suricata can't link to the libhs.so.5 library, any ideas why?

Followed the steps mentioned, just had to yum install  libquadmath-devel,
but other than that everything was pretty much installed as per the
documented steps.
And then compiled Suricata with
" --with-libhs-includes=/usr/local/include/hs
--with-libhs-libraries=/usr/local/lib64" additional options.

$ ldd /usr/local/suricata/4.0.4/bin/suricata
        linux-vdso.so.1 =>  (0x00007ffe1e797000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f62aee7b000)
        libhtp.so.2 => /usr/local/suricata/4.0.4/lib/libhtp.so.2
(0x00007f62aec5a000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f62aea52000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f62ae750000)
        libmagic.so.1 => /lib64/libmagic.so.1 (0x00007f62ae533000)
        libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f62ae32d000)
        libpfring.so => /usr/local/pfring/6.6.0/lib/libpfring.so
(0x00007f62ae0b9000)
        libpcap.so.1 => /usr/local/pfring/6.6.0/lib/libpcap.so.1
(0x00007f62ade06000)
        libnet.so.1 => /lib64/libnet.so.1 (0x00007f62adbec000)
        libjansson.so.4 => /lib64/libjansson.so.4 (0x00007f62ad9df000)
        libyaml-0.so.2 => /lib64/libyaml-0.so.2 (0x00007f62ad7bf000)
        *libhs.so.5 => not found*
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f62ad55d000)
        libssl3.so => /lib64/libssl3.so (0x00007f62ad30b000)
        libsmime3.so => /lib64/libsmime3.so (0x00007f62ad0e4000)
        libnss3.so => /lib64/libnss3.so (0x00007f62acdb7000)
        libnssutil3.so => /lib64/libnssutil3.so (0x00007f62acb88000)
        libplds4.so => /lib64/libplds4.so (0x00007f62ac984000)
        libplc4.so => /lib64/libplc4.so (0x00007f62ac77f000)
        libnspr4.so => /lib64/libnspr4.so (0x00007f62ac541000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f62ac33d000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f62abf70000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f62af097000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f62abd5a000)

But it's there in /usr/local/lib64/ folder:
$ ls /usr/local/lib64/
libhs.a          libhs_runtime.so    libhs_runtime.so.5.0.0  libhs.so.5
  pkgconfig
libhs_runtime.a  libhs_runtime.so.5  libhs.so                libhs.so.5.0.0

What am I missing?

Thanks,
Fatema.





On Thu, Jul 12, 2018 at 9:47 AM, Cloherty, Sean E <scloherty at mitre.org>
wrote:

> Forwarding you the instructions from Derek Spransy which helped me get
> Hyperscan installed on CentOS.
>
>
>
> *From:* Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.
> org] *On Behalf Of *fatema bannatwala
> *Sent:* Wednesday, July 11, 2018 13:51 PM
> *To:* eric at regit.org
> *Cc:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* Re: [Oisf-users] High Suricata capture.kernel_drops
>
>
>
> Hi Eric,
>
>
>
> While installing Suricata, didn't know about HS capability, and it was
> disabled and hence not installed by default while installing suricata from
> source.
>
> Later I got to know about it, it would be really good to have the
> recommended features documented in the Suricata documentation for the
> beginners to know which options to use and enable while installation for
> better performance. :(
>
>
>
> Thanks,
>
> Fatema.
>
>
>
>
> ---------- Forwarded message ----------
> From: "Spransy, Derek" <dsprans at emory.edu>
> To: "Cloherty, Sean E" <scloherty at mitre.org>, "
> oisf-users at lists.openinfosecfoundation.org" <
> oisf-users at lists.openinfosecfoundation.org>
> Cc:
> Bcc:
> Date: Tue, 28 Mar 2017 16:20:47 +0000
> Subject: Re: Hyperscan on RHEL or CentOS
>
> These are my notes from installing HS and pf_ring support on RHEL 7.
>
> Install with Intel Hyperscan Enabled
>
> *Install pre-requisites*
>
> sudo yum install cmake gcc-c++ python-devel
>
> Download ragel, unpack, ./configure, make, sudo make install
>
> *Download and compile boost headers*
>
> Download boost 1.60
>
> tar xvzf boost_1_60_0.tar.gz
>
> cd boost_1_60_0
>
> ./bootstrap.sh
>
> ./b2
>
> *Install Hyperscan*
>
> git clone https://github.com/01org/hyperscan
>
> cd hyperscan
>
> mkdir build
>
> cd build
>
> cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/home//boost_1_60_0/ ../
>
> make
>
> sudo make install
>
> *Compile Suricate with HS and PF_RING support*
>
> ./configure --prefix=/usr --sysconfdir=/etc --enable-pfring
> --with-libpfring-includes=/usr/local/include --with-libpfring-libraries=/usr/local/lib
> --with-libnspr-includes=/usr/include/nspr4/ --with-libnspr-libraries=/usr/include/nspr4/
> --with-libcap_ng-libraries=/usr/local/lib --with-libhs-includes=/usr/local/include/hs/
> --with-libhs-libraries=/usr/local/lib/
>
> mpm-algo and spm-algo values in suricata.yaml must be set to 'auto' or 'hs'
>
>
>
> ------------------------------
> *From:* Oisf-users on behalf of Cloherty, Sean E
> *Sent:* Tuesday, March 28, 2017 12:15 PM
> *To:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* [Oisf-users] Hyperscan on RHEL or CentOS
>
> Has anyone got instructions for installing Hyperscan on RHEL/CentOS? I’ve
> tried a few times now and it seems like I get fairly close, but I’ve not
> been able to compile Suricata with Hyperscan. I know that it is something I
> am completing incorrectly but have not been able to figure it out. Are
> there files or configuration changes that I can check at the end of the
> install to see if it was completed correctly prior to compiling Suricata?
>
> Thanks.
>
> Sean Cloherty
>
> InfoSec Engineer/Scientist, Lead
>
> MITRE Corporation
>
> office (781) 271-3707
>
> cell (781) 697-8043
>
>
> ------------------------------
>
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
>
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180718/c3251c3c/attachment.html>

More information about the Oisf-users mailing list