Suricata

Did you compile Suricata from source? The configure script should pick up your Hyperscan installation once you have it installed.

David Lam wrote:

Did you compile Suricata from source? The configure script should pick up your Hyperscan installation once you have it installed.

I installed Suricata from the repo.I asked in Hyperscan web mail too and they answer me that I have to install it from the sources. I removed Suricata from the repo and the I tried to install Suricata (from the sources) and in ./configure (before make) didn't appear these lines that show if Hyperscan is supported:

checking for libhs... yes

checking hs.h usability... yes

checking hs.h presence... yes

checking for hs.h... yes

checking for hs_compile in -lhs... yes

So, I installed Hyperscan again (following Suricata docs for it) but these lines didn't appear yet.

Does Hyperscan support AMD processors? Since I have a Phenom, I am installing all in a virtual machine of VMware, so I think that it couldn't be the problem.

Thanks for your help!

Can be related to the fix here - https://redmine.openinfosecfoundation.org/issues/2010#change-7826
Does your CPU have SSSE3 ? Any related log err messages in suricata.log ?

Peter Manev wrote:

Can be related to the fix here - https://redmine.openinfosecfoundation.org/issues/2010#change-7826
Does your CPU have SSSE3 ? Any related log err messages in suricata.log ?

My processor is a Phenom II, so it doesn't support SSSE3. In spite of that, I realized that I forgot the installation of the dependences libpcap, libpcre, libmagic, zlib, libyaml, my fault. After installed them I checked if Hyperscan is supported with the following command suricata --build-info|grep Hyperscan and it answered "yes". However, when I configure the mpm-algo and spm-algo to "hs" instead of auto and run Suricata occurs the following error:
<Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid spm algo supplied in the yaml conf file: "hs"

So, I think that my processor doesn't support SSSE3 instruction set. Anyway I don't understand why, because I am running Suricata on a virtual machine of VMware and that make an abstraction of the hardware. Thanks for answering!

Alexis Fredes wrote:

Peter Manev wrote:

Can be related to the fix here - https://redmine.openinfosecfoundation.org/issues/2010#change-7826
Does your CPU have SSSE3 ? Any related log err messages in suricata.log ?

My processor is a Phenom II, so it doesn't support SSSE3. In spite of that, I realized that I forgot the installation of the dependences libpcap, libpcre, libmagic, zlib, libyaml, my fault. After installed them I checked if Hyperscan is supported with the following command suricata --build-info|grep Hyperscan and it answered "yes". However, when I configure the mpm-algo and spm-algo to "hs" instead of auto and run Suricata occurs the following error:
<Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid spm algo supplied in the yaml conf file: "hs"
UPDATE: I checked the flags line in file /proc/cpuinfo to check if ssse3 is present and I didn't find it, so my cpu doesn't support Hyperscan.

Thanks

So, I think that my processor doesn't support SSSE3 instruction set. Anyway I don't understand why, because I am running Suricata on a virtual machine of VMware and that make an abstraction of the hardware. Thanks for answering!

Alexis Fredes wrote:

Alexis Fredes wrote:

Peter Manev wrote:

Can be related to the fix here - https://redmine.openinfosecfoundation.org/issues/2010#change-7826
Does your CPU have SSSE3 ? Any related log err messages in suricata.log ?

My processor is a Phenom II, so it doesn't support SSSE3. In spite of that, I realized that I forgot the installation of the dependences libpcap, libpcre, libmagic, zlib, libyaml, my fault. After installed them I checked if Hyperscan is supported with the following command suricata --build-info|grep Hyperscan and it answered "yes". However, when I configure the mpm-algo and spm-algo to "hs" instead of auto and run Suricata occurs the following error:
<Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid spm algo supplied in the yaml conf file: "hs"
So, I think that my processor doesn't support SSSE3 instruction set. Anyway I don't understand why, because I am running Suricata on a virtual machine of VMware and that make an abstraction of the hardware. Thanks for answering!

UPDATE: I checked the flags line in file /proc/cpuinfo to check if ssse3 is present and I didn't find it, so my cpu doesn't support Hyperscan.
Thanks