Suricata

Hey Team,

I am trying to build Suricata version 4.1.8 from source while enabling Hyperscan on a CentOS 7 box. However, I am running into the below error when I run "make install-full" to finish building Suricata:

make¹: Entering directory `/opt/suricata-4.1.8'
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update \
--suricata /usr/bin/suricata \
--suricata-conf /etc/suricata/suricata.yaml \
--no-test --no-reload
/usr/bin/suricata: error while loading shared libraries: libhs.so.5: cannot open shared object file: No such file or directory
Traceback (most recent call last):
File "/usr/bin/suricata-update", line 33, in <module>
sys.exit(main.main())
File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1517, in main
sys.exit(_main())
File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1237, in _main
config.init(args)
File "/usr/bin/../lib/python2.7/site-packages/suricata/update/config.py", line 202, in init
build_info = suricata.update.engine.get_build_info(_config["suricata"])
File "/usr/bin/../lib/python2.7/site-packages/suricata/update/engine.py", line 41, in get_build_info
build_info_output = subprocess.check_output([suricata, "--build-info"])
File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '['/usr/bin/suricata', '--build-info']' returned non-zero exit status 127
make<sup>1</sup>: * [install-rules] Error 1
make<sup>1</sup>: Leaving directory `/opt/suricata-4.1.8'
make: * [install-full] Error 2

I believe this is related to me trying to implement the use of Hyperscan, because I have built version 4.1.8 from source without implementing Hyperscan and all went well.

Below are the steps I used to install boost and Hyperscan on CentOS 7:

1. yum install cmake ragel
2. yum install boost-devel
3. yum install gcc
4. yum install gcc-c++
5. yum groupinstall "Development tools"
6. wget https://sourceforge.net/projects/boost/files/boost/1.73.0/boost_1_73_0.tar.gz
7. tar xvzf boost_1_73_0.tar.gz
8. cd boost_1_73_0/
9. ./bootstrap.sh --prefix=/opt/boost
10. ./b2 install --prefix=/opt/boost --with=all
11. git clone https://github.com/01org/hyperscan
12. cd hyperscan/
13. mkdir build
14. cd build/
15. cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/opt/boost_1_73_0/ ../
16. make
17. make install
18. echo "/usr/local/lib" | sudo tee --append /etc/ld.so.conf.d/usrlocal.conf
19. sudo ldconfig

I then run the below steps to build Suricata

1. yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel
2. wget http://rpmfind.net/linux/mageia/distrib/7/x86_64/media/core/updates/lib64htp2-4.1.6-1.mga7.x86_64.rpm
3. yum install lib64htp2-4.1.6-1.mga7.x86_64.rpm -y
4. yum install cargo
5. wget http://www.openinfosecfoundation.org/download/suricata-4.1.8.tar.gz
6. tar -xvzf suricata-4.1.8.tar.gz
7. cd suricata-4.1.8/
8. ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua --enable-rust --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib64/

Note that Suricata configure script did not pick up Hyperscan by default, so I used the --with-libhs-includes and --with-libhs-libraries to specify it and then Suricata picked it up

1. make
2. make install-full

Then I run into the error which I pasted in the beginning of this message.

It looks like I pulled down Hyperscan 5.3.0 that was released 22 days ago. Perhaps that version is not compatible? Is there a version you guys recommend?

I am at a lose as to what else to try to get get Suricata fully working and I would greatly appreciate any guidance you guys can provide.

As always, thank you for you help!

Best Regards,

Taylor