Project

General

Profile

Actions

Support #2128

closed

Suricata and Hyperscan

Added by Alexis Fredes about 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Hello!
I am trying to add Hyperscan to my Suricata installed on Ubuntu 16.04 LTS on a vmware virtual machine. I followed the tutorial of https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Hyperscan and when I ask for suricata --build-info|grep Hyperscan it says "support no". Any idea?

Thanks!
Alexis

Actions #1

Updated by David Lam about 7 years ago

Did you compile Suricata from source? The configure script should pick up your Hyperscan installation once you have it installed.

Actions #2

Updated by Andreas Herz about 7 years ago

  • Assignee set to Anonymous
  • Target version set to Support
Actions #3

Updated by Alexis Fredes about 7 years ago

David Lam wrote:

Did you compile Suricata from source? The configure script should pick up your Hyperscan installation once you have it installed.

I installed Suricata from the repo.I asked in Hyperscan web mail too and they answer me that I have to install it from the sources. I removed Suricata from the repo and the I tried to install Suricata (from the sources) and in ./configure (before make) didn't appear these lines that show if Hyperscan is supported:

checking for libhs... yes

checking hs.h usability... yes

checking hs.h presence... yes

checking for hs.h... yes

checking for hs_compile in -lhs... yes

So, I installed Hyperscan again (following Suricata docs for it) but these lines didn't appear yet.

Does Hyperscan support AMD processors? Since I have a Phenom, I am installing all in a virtual machine of VMware, so I think that it couldn't be the problem.

Thanks for your help!

Actions #4

Updated by Peter Manev about 7 years ago

Can be related to the fix here - https://redmine.openinfosecfoundation.org/issues/2010#change-7826
Does your CPU have SSSE3 ? Any related log err messages in suricata.log ?

Actions #5

Updated by Alexis Fredes about 7 years ago

Peter Manev wrote:

Can be related to the fix here - https://redmine.openinfosecfoundation.org/issues/2010#change-7826
Does your CPU have SSSE3 ? Any related log err messages in suricata.log ?

My processor is a Phenom II, so it doesn't support SSSE3. In spite of that, I realized that I forgot the installation of the dependences libpcap, libpcre, libmagic, zlib, libyaml, my fault. After installed them I checked if Hyperscan is supported with the following command suricata --build-info|grep Hyperscan and it answered "yes". However, when I configure the mpm-algo and spm-algo to "hs" instead of auto and run Suricata occurs the following error:
<Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid spm algo supplied in the yaml conf file: "hs"

So, I think that my processor doesn't support SSSE3 instruction set. Anyway I don't understand why, because I am running Suricata on a virtual machine of VMware and that make an abstraction of the hardware. Thanks for answering!

Actions #6

Updated by Alexis Fredes about 7 years ago

Alexis Fredes wrote:

Peter Manev wrote:

Can be related to the fix here - https://redmine.openinfosecfoundation.org/issues/2010#change-7826
Does your CPU have SSSE3 ? Any related log err messages in suricata.log ?

My processor is a Phenom II, so it doesn't support SSSE3. In spite of that, I realized that I forgot the installation of the dependences libpcap, libpcre, libmagic, zlib, libyaml, my fault. After installed them I checked if Hyperscan is supported with the following command suricata --build-info|grep Hyperscan and it answered "yes". However, when I configure the mpm-algo and spm-algo to "hs" instead of auto and run Suricata occurs the following error:
<Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid spm algo supplied in the yaml conf file: "hs"
UPDATE: I checked the flags line in file /proc/cpuinfo to check if ssse3 is present and I didn't find it, so my cpu doesn't support Hyperscan.

Thanks

So, I think that my processor doesn't support SSSE3 instruction set. Anyway I don't understand why, because I am running Suricata on a virtual machine of VMware and that make an abstraction of the hardware. Thanks for answering!

Actions #7

Updated by Alexis Fredes about 7 years ago

Alexis Fredes wrote:

Alexis Fredes wrote:

Peter Manev wrote:

Can be related to the fix here - https://redmine.openinfosecfoundation.org/issues/2010#change-7826
Does your CPU have SSSE3 ? Any related log err messages in suricata.log ?

My processor is a Phenom II, so it doesn't support SSSE3. In spite of that, I realized that I forgot the installation of the dependences libpcap, libpcre, libmagic, zlib, libyaml, my fault. After installed them I checked if Hyperscan is supported with the following command suricata --build-info|grep Hyperscan and it answered "yes". However, when I configure the mpm-algo and spm-algo to "hs" instead of auto and run Suricata occurs the following error:
<Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid spm algo supplied in the yaml conf file: "hs"
So, I think that my processor doesn't support SSSE3 instruction set. Anyway I don't understand why, because I am running Suricata on a virtual machine of VMware and that make an abstraction of the hardware. Thanks for answering!

UPDATE: I checked the flags line in file /proc/cpuinfo to check if ssse3 is present and I didn't find it, so my cpu doesn't support Hyperscan.
Thanks

Actions #8

Updated by Victor Julien almost 7 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF