Hi everyone, i have (as the title states) a VM im optimizing as much as possible using AF-Packet using suricata 6 on Centos 7. Once fully stable and optimized will replicate config across fleet
I have found the RPM packages for Centos 7 and have read some related threads such as
I am responsible for a wide range of services and dont have a fully functioning CI/CD pipeline to help me with this scale problem i have. Is there a version of Suricata 6 RPM that has Hyperscan and possibly other options enabled so i can enable them by toggling those specific options within the Yaml file?
One issue i have is due to my install of the Suricata 6 RPM i am running into capacity issues and kernel dropped packets are increasing. I have it running with 48 threads and over 64GB ram but once ET PRO rules are enabled the kernel packet dropped count increases. Looking into enabling Hyperscan to start optimizing further i found the Hyperscan RPM package and is installed, but due to suricata --build-info stating its not enabled i assume i have to re-install by compiling from source.
In an air-gapped environment with minimal package repositories available to the sensor itself it would be more beneficial to me to have a larger Suricata install package knowing it has all the advanced features needed, instead of a smaller suricata install base but subsequent 3rd party RPM package repos needing to be enabled but not discovering them until install time.
Is there somewhere that hosts such a version that has Boost + Hyperscan + Suricata 6 built already or do i really have to either compile from source for each of my sensors? (upwards of 50)
Not that I’m aware of. The Suricata RPMs for EL7 don’t have Hyperscan support as Hyperscan isn’t in any of the standard repos and we decided not to take on the maintenance of supporting a Hyperscan package for EL7 when EL8 has it already.
If you are familiar with building RPMs, you could potentially rebuild our RPMs on a system where Hyperscan is found, then they should have Hyperscan support, but this is often trickier than it sounds.
Have you tested on one sensor to see if Hyperscan does help your performance issues?
Thanks for your response @ish , this is what im attempting to get setup on a dev sensor so i can build the final rpm and replicate to other sensors.
So if i obtain the suricata.tar.gz and run the configure obtions such as enable prelude, enable af-packet, config and logging directories and hyper scan i can then use fpm to make that package, if i then just copy my custome-suricata.rpm package and the hyperscan.rpm is that the best approach to deploy to other sensors?
Or is there a different method to package suricata with advanced options to try and have associated libraries statically compiled so its just one large .rpm file?
I now have a dev sensor up and running on centos 7 with all dev tools so should be able to get some progress on this, im just not familiar with the most simple workflow to create the adv-suri.rpm file
So if i have the RPM for Hyperscan already installed on the system, i then run ./configure –with-libhs-includes=/usr/local/include/hs/ –with-libhs-libraries=/usr/local/lib/ to identify hyperscan already installed? Or should suricata pick this up as per 9.4.2 on
Then once the ./configure is run with adv options needed i then run
fpm -s dir -t rpm dir_of_suricata_source
Then i can just use hyperscan.rpm and my custom_suricata.rpm to deploy to sensors, or perhaps make fpm use --depends hyperscan.rpm so my suricata makes it a hard linked dependency at install time?
You’ll probably have to experiment a little. On Fedora and CentOS 8 where there is a package that installs into /usr/lib, it is picked up by default. Outside of those locations you might have to use --with-libhs-*.
Check the build output after ./configure, it will tell if you Hyperscan was picked up or not.