Support #3777
closedCompiling Suricata with Hyperscan Issue
Description
Hey Team,
I am trying to build Suricata version 4.1.8 from source while enabling Hyperscan on a CentOS 7 box. However, I am running into the below error when I run "make install-full" to finish building Suricata:
make1: Entering directory `/opt/suricata-4.1.8'
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update \
--suricata /usr/bin/suricata \
--suricata-conf /etc/suricata/suricata.yaml \
--no-test --no-reload
/usr/bin/suricata: error while loading shared libraries: libhs.so.5: cannot open shared object file: No such file or directory
Traceback (most recent call last):
File "/usr/bin/suricata-update", line 33, in <module>
sys.exit(main.main())
File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1517, in main
sys.exit(_main())
File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1237, in _main
config.init(args)
File "/usr/bin/../lib/python2.7/site-packages/suricata/update/config.py", line 202, in init
build_info = suricata.update.engine.get_build_info(_config["suricata"])
File "/usr/bin/../lib/python2.7/site-packages/suricata/update/engine.py", line 41, in get_build_info
build_info_output = subprocess.check_output([suricata, "--build-info"])
File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '['/usr/bin/suricata', '--build-info']' returned non-zero exit status 127
make1: * [install-rules] Error 1
make1: Leaving directory `/opt/suricata-4.1.8'
make: * [install-full] Error 2
I believe this is related to me trying to implement the use of Hyperscan, because I have built version 4.1.8 from source without implementing Hyperscan and all went well.
Below are the steps I used to install boost and Hyperscan on CentOS 7:
- yum install cmake ragel
- yum install boost-devel
- yum install gcc
- yum install gcc-c++
- yum groupinstall "Development tools"
- wget https://sourceforge.net/projects/boost/files/boost/1.73.0/boost_1_73_0.tar.gz
- tar xvzf boost_1_73_0.tar.gz
- cd boost_1_73_0/
- ./bootstrap.sh --prefix=/opt/boost
- ./b2 install --prefix=/opt/boost --with=all
- git clone https://github.com/01org/hyperscan
- cd hyperscan/
- mkdir build
- cd build/
- cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/opt/boost_1_73_0/ ../
- make
- make install
- echo "/usr/local/lib" | sudo tee --append /etc/ld.so.conf.d/usrlocal.conf
- sudo ldconfig
I then run the below steps to build Suricata
- yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel
- wget http://rpmfind.net/linux/mageia/distrib/7/x86_64/media/core/updates/lib64htp2-4.1.6-1.mga7.x86_64.rpm
- yum install lib64htp2-4.1.6-1.mga7.x86_64.rpm -y
- yum install cargo
- wget http://www.openinfosecfoundation.org/download/suricata-4.1.8.tar.gz
- tar -xvzf suricata-4.1.8.tar.gz
- cd suricata-4.1.8/
- ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua --enable-rust --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib64/
Note that Suricata configure script did not pick up Hyperscan by default, so I used the --with-libhs-includes and --with-libhs-libraries to specify it and then Suricata picked it up
- make
- make install-full
Then I run into the error which I pasted in the beginning of this message.
It looks like I pulled down Hyperscan 5.3.0 that was released 22 days ago. Perhaps that version is not compatible? Is there a version you guys recommend?
I am at a lose as to what else to try to get get Suricata fully working and I would greatly appreciate any guidance you guys can provide.
As always, thank you for you help!
Best Regards,
Taylor