[Oisf-users] High Suricata capture.kernel_drops

fatema bannatwala fatema.bannatwala at gmail.com
Wed Jul 18 21:26:01 UTC 2018


Ah Nevermind.  Copied the library so in /lib64 folder and it was found by
ldd.

Thanks,
Fatema.

On Wed, Jul 18, 2018 at 4:57 PM, fatema bannatwala <
fatema.bannatwala at gmail.com> wrote:

> So trying to install HyperScan and then compile Suricata with HS lib.
> Suricata can't link to the libhs.so.5 library, any ideas why?
>
> Followed the steps mentioned, just had to yum install  libquadmath-devel,
> but other than that everything was pretty much installed as per the
> documented steps.
> And then compiled Suricata with " --with-libhs-includes=/usr/local/include/hs
> --with-libhs-libraries=/usr/local/lib64" additional options.
>
> $ ldd /usr/local/suricata/4.0.4/bin/suricata
>         linux-vdso.so.1 =>  (0x00007ffe1e797000)
>         libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f62aee7b000)
>         libhtp.so.2 => /usr/local/suricata/4.0.4/lib/libhtp.so.2
> (0x00007f62aec5a000)
>         librt.so.1 => /lib64/librt.so.1 (0x00007f62aea52000)
>         libm.so.6 => /lib64/libm.so.6 (0x00007f62ae750000)
>         libmagic.so.1 => /lib64/libmagic.so.1 (0x00007f62ae533000)
>         libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f62ae32d000)
>         libpfring.so => /usr/local/pfring/6.6.0/lib/libpfring.so
> (0x00007f62ae0b9000)
>         libpcap.so.1 => /usr/local/pfring/6.6.0/lib/libpcap.so.1
> (0x00007f62ade06000)
>         libnet.so.1 => /lib64/libnet.so.1 (0x00007f62adbec000)
>         libjansson.so.4 => /lib64/libjansson.so.4 (0x00007f62ad9df000)
>         libyaml-0.so.2 => /lib64/libyaml-0.so.2 (0x00007f62ad7bf000)
>         *libhs.so.5 => not found*
>         libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f62ad55d000)
>         libssl3.so => /lib64/libssl3.so (0x00007f62ad30b000)
>         libsmime3.so => /lib64/libsmime3.so (0x00007f62ad0e4000)
>         libnss3.so => /lib64/libnss3.so (0x00007f62acdb7000)
>         libnssutil3.so => /lib64/libnssutil3.so (0x00007f62acb88000)
>         libplds4.so => /lib64/libplds4.so (0x00007f62ac984000)
>         libplc4.so => /lib64/libplc4.so (0x00007f62ac77f000)
>         libnspr4.so => /lib64/libnspr4.so (0x00007f62ac541000)
>         libdl.so.2 => /lib64/libdl.so.2 (0x00007f62ac33d000)
>         libc.so.6 => /lib64/libc.so.6 (0x00007f62abf70000)
>         /lib64/ld-linux-x86-64.so.2 (0x00007f62af097000)
>         libz.so.1 => /lib64/libz.so.1 (0x00007f62abd5a000)
>
> But it's there in /usr/local/lib64/ folder:
> $ ls /usr/local/lib64/
> libhs.a          libhs_runtime.so    libhs_runtime.so.5.0.0  libhs.so.5
>   pkgconfig
> libhs_runtime.a  libhs_runtime.so.5  libhs.so                libhs.so.5.0.0
>
> What am I missing?
>
> Thanks,
> Fatema.
>
>
>
>
>
> On Thu, Jul 12, 2018 at 9:47 AM, Cloherty, Sean E <scloherty at mitre.org>
> wrote:
>
>> Forwarding you the instructions from Derek Spransy which helped me get
>> Hyperscan installed on CentOS.
>>
>>
>>
>> *From:* Oisf-users [mailto:oisf-users-bounces at lis
>> ts.openinfosecfoundation.org] *On Behalf Of *fatema bannatwala
>> *Sent:* Wednesday, July 11, 2018 13:51 PM
>> *To:* eric at regit.org
>> *Cc:* oisf-users at lists.openinfosecfoundation.org
>> *Subject:* Re: [Oisf-users] High Suricata capture.kernel_drops
>>
>>
>>
>> Hi Eric,
>>
>>
>>
>> While installing Suricata, didn't know about HS capability, and it was
>> disabled and hence not installed by default while installing suricata from
>> source.
>>
>> Later I got to know about it, it would be really good to have the
>> recommended features documented in the Suricata documentation for the
>> beginners to know which options to use and enable while installation for
>> better performance. :(
>>
>>
>>
>> Thanks,
>>
>> Fatema.
>>
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: "Spransy, Derek" <dsprans at emory.edu>
>> To: "Cloherty, Sean E" <scloherty at mitre.org>, "oisf-users at lists.
>> openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
>> Cc:
>> Bcc:
>> Date: Tue, 28 Mar 2017 16:20:47 +0000
>> Subject: Re: Hyperscan on RHEL or CentOS
>>
>> These are my notes from installing HS and pf_ring support on RHEL 7.
>>
>> Install with Intel Hyperscan Enabled
>>
>> *Install pre-requisites*
>>
>> sudo yum install cmake gcc-c++ python-devel
>>
>> Download ragel, unpack, ./configure, make, sudo make install
>>
>> *Download and compile boost headers*
>>
>> Download boost 1.60
>>
>> tar xvzf boost_1_60_0.tar.gz
>>
>> cd boost_1_60_0
>>
>> ./bootstrap.sh
>>
>> ./b2
>>
>> *Install Hyperscan*
>>
>> git clone https://github.com/01org/hyperscan
>>
>> cd hyperscan
>>
>> mkdir build
>>
>> cd build
>>
>> cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/home//boost_1_60_0/ ../
>>
>> make
>>
>> sudo make install
>>
>> *Compile Suricate with HS and PF_RING support*
>>
>> ./configure --prefix=/usr --sysconfdir=/etc --enable-pfring
>> --with-libpfring-includes=/usr/local/include
>> --with-libpfring-libraries=/usr/local/lib --with-libnspr-includes=/usr/include/nspr4/
>> --with-libnspr-libraries=/usr/include/nspr4/
>> --with-libcap_ng-libraries=/usr/local/lib --with-libhs-includes=/usr/local/include/hs/
>> --with-libhs-libraries=/usr/local/lib/
>>
>> mpm-algo and spm-algo values in suricata.yaml must be set to 'auto' or
>> 'hs'
>>
>>
>>
>> ------------------------------
>> *From:* Oisf-users on behalf of Cloherty, Sean E
>> *Sent:* Tuesday, March 28, 2017 12:15 PM
>> *To:* oisf-users at lists.openinfosecfoundation.org
>> *Subject:* [Oisf-users] Hyperscan on RHEL or CentOS
>>
>> Has anyone got instructions for installing Hyperscan on RHEL/CentOS? I’ve
>> tried a few times now and it seems like I get fairly close, but I’ve not
>> been able to compile Suricata with Hyperscan. I know that it is something I
>> am completing incorrectly but have not been able to figure it out. Are
>> there files or configuration changes that I can check at the end of the
>> install to see if it was completed correctly prior to compiling Suricata?
>>
>> Thanks.
>>
>> Sean Cloherty
>>
>> InfoSec Engineer/Scientist, Lead
>>
>> MITRE Corporation
>>
>> office (781) 271-3707
>>
>> cell (781) 697-8043
>>
>>
>> ------------------------------
>>
>> This e-mail message (including any attachments) is for the sole use of
>> the intended recipient(s) and may contain confidential and privileged
>> information. If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination, distribution
>> or copying of this message (including any attachments) is strictly
>> prohibited.
>>
>> If you have received this message in error, please contact
>> the sender by reply e-mail message and destroy all copies of the
>> original message (including attachments).
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180718/8cce58a0/attachment-0001.html>


More information about the Oisf-users mailing list