Suricata 6 with Hyperscan on CentOS 7

A QUICK GUIDE TO SURICATA 6 w/HYPERSCAN on CentOS 7

or

How to install Suricata with Hyperscan pattern matching in 8 easy steps.

Versions listed below were latest at time of this post. The assumed starting point is a minimal install of CentOS 7. Please note that this isn’t the only way to accomplish the install, and not all items are needed but have been included for ease of install for newer users.

INSTALL PRELIMINARY ITEMS

1. Add EPEL repo, update to latest kernels & headers, & reboot:

  • yum clean all
  • yum install epel-release
  • yum update

2. Install useful tools:

*yum install net-tools pciutils psmisc screen tar tcpdump wget

3. Install Developer Tools needed for compiling and installing code:

  • yum group install “Development Tools”

4. Install RUST:

  • yum install rust

OR

For hosts with no internet access, use standalone installers found here - https://forge.rust-lang.org/infra/other-installation-methods.html . For RHEL / CentOS on standard x86_64 choose the link labeled “x86_64-unknown-linux-gnu”

  • tar zxvf rust-#.##.#-x86_64-unknown-linux-gnu.tar.gz
  • cd rust-#.##.#-x86_64-unknown-linux-gnu.tar.gz
  • sudo ./install.sh

5. Install additional prerequisites -

  • yum install bzip2-devel cmake cargo file-devel GeoIP-devel hiredis hiredis-devel jansson-devel jq kernel-devel libcap-ng-devel libdnet libevent libmaxminddb-devel libnet-devel libnetfilter_queue-devel yum install libnss-mysql libpcap-devel libyaml-devel luajit lua-devel lz4-devel lzma ncurses-devel nss-devel pcre-devel python-devel python-yaml ragel sqlite-devel xz-devel

BUILD HYPERSCAN - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan
“Hyperscan is a high-performance multiple regex matching library.” https://01.org/hyperscan - In Suricata it is used to perform multi pattern matching (mpm). Support was implemented by Justin Viiret and Jim Xu from Intel.

6. Download and compile Boost headers
Check for current version at Boost C++ Libraries - Browse /boost at SourceForge.net

wget Download Boost C++ Libraries from SourceForge.net
tar zxvf boost_1_74_0.tar.gz
cd boost_1_74_0
./bootstrap.sh
./b2

7. Build and Install Hyperscan - From http://01org.github.io/hyperscan/dev-reference/getting_started.html

  • wget https://github.com/intel/hyperscan/archive/master.zip
  • unzip master
  • mv hyperscan-master hyperscan
  • cd hyperscan
  • mkdir build
  • cd build
  • ln -s boost_1_74_0/boost /usr/local/src/hyperscan/include/boost_1_74_0/ …/
  • cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/usr/local/src/boost_1_74_0/ …/
  • make
  • sudo make install

BUILD AND INSTALL SURICATA

8. Download source code to Suricata and install

  • wget https://www.openinfosecfoundation.org/download/suricata-6.0.0.tar.gz

  • tar -zxvf suricata-6.0.0.tar.gz

  • cd suricata-6.0.0

  • ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib64/ --with-libhtp-includes=/usr/local/include/htp --with-libhtp-libraries=/usr/local/lib64/ --with-liblzma-includes=/usr/include/ --with-liblzma-libraries=/usr/lib64 --enable-gccprotect --enable-gccmarch-native --enable-lua --enable-geoip --enable-rust --enable-unix-socket

  • make && make install

  • ldconfig

4 Likes

FYI, since early '21 suricata rpm from EPEL now supports hyperscan out of the box.
I hope it’s useful to future readers.

1 Like