Suricata开启Hyperscan加速的方法

We'll install version 4.2.0.

git clone https://github.com/01org/hyperscan cd hyperscan
mkdir build
cd build
cmake -DBUILD_STATIC_AND_SHARED=1 ../

If you have your own libboost headers, use this cmake line instead:

cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=~/tmp/boost-1.60 ../

Finally, make and make install:

make
sudo make install

Compilation can take a long time, but it should in the end look something like this:

Install the project...
-- Install configuration: "RELWITHDEBINFO"
-- Installing: /usr/local/lib/pkgconfig/libhs.pc
-- Up-to-date: /usr/local/include/hs/hs.h
-- Up-to-date: /usr/local/include/hs/hs_common.h
-- Up-to-date: /usr/local/include/hs/hs_compile.h
-- Up-to-date: /usr/local/include/hs/hs_runtime.h
-- Installing: /usr/local/lib/libhs_runtime.a
-- Installing: /usr/local/lib/libhs_runtime.so.4.2.0
-- Installing: /usr/local/lib/libhs_runtime.so.4.2
-- Installing: /usr/local/lib/libhs_runtime.so
-- Installing: /usr/local/lib/libhs.a
-- Installing: /usr/local/lib/libhs.so.4.2.0
-- Installing: /usr/local/lib/libhs.so.4.2
-- Installing: /usr/local/lib/libhs.so

Note that you may have to add /usr/local/lib to your ld search path

echo "/usr/local/lib" | sudo tee --append /etc/ld.so.conf.d/usrlocal.conf
sudo ldconfig

Suricata

Compilation

Suricata's installation is now quite standard.
It's possible to pass --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/, although by default this shouldn't be necessary. Suricata should pick up Hyperscan's pkg-config
file automagically.
When Suricata's compilation succeeded, you should have:

suricata --build-info|grep Hyperscan
Hyperscan support:                       yes

Using Hyperscan

To use the hyperscan support edit your suricata.yaml and change the mpm-algo value to 'hs'.
Alternatively, use this commandline option: --set mpm-algo=hs