Hyperscan
=========

Introduction
~~~~~~~~~~~~

"Hyperscan is a high-performance multiple regex matching library." https://01.org/hyperscan

In Suricata it can be used to perform multi pattern matching (mpm). Support was implemented by Justin Viiret and Jim Xu from Intel: https://github.com/inliniac/suricata/pull/1965, https://redmine.openinfosecfoundation.org/issues/1704

Compilation
~~~~~~~~~~~

It's possible to pass --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/, although by default this shouldn't be necessary. Suricata should pick up Hyperscan's pkg-config file automagically.

When Suricata's compilation succeeded, you should have:

::


  suricata --build-info|grep Hyperscan
    Hyperscan support:                       yes


Using Hyperscan
~~~~~~~~~~~~~~~

To use the hyperscan support edit your suricata.yaml. Change the mpm-algo and spm-algo values to 'hs'.

Alternatively, use this commandline option: --set mpm-algo=hs --set spm-algo=hs




Ubuntu Hyperscan Installation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To use Suricata with Hyperscan support, install dependencies:


::


  apt-get install cmake ragel

libboost headers
----------------

Hyperscan needs the libboost headers from 1.58+.

On Ubuntu 15.10 or 16.04+, simply do:


::


  apt-get install libboost-dev


Trusty
------

Trusty has 1.57, so it's too old. We can grab a newer libboost version, but we *don't* install it system wide. It's only the headers we care about during compilation of Hyperscan.


::


  sudo apt-get python-dev libbz2-dev
  wget http://downloads.sourceforge.net/project/boost/boost/1.60.0/boost_1_60_0.tar.gz
  tar xvzf boost_1_60_0.tar.gz
  cd boost_1_60_0
  ./bootstrap.sh --prefix=~/tmp/boost-1.60
  ./b2 install

Hyperscan
---------

We'll install version 4.2.0.


::


  git clone https://github.com/01org/hyperscan
  cd hyperscan
  mkdir build
  cd build
  cmake -DBUILD_STATIC_AND_SHARED=1 ../

If you have your own libboost headers, use this cmake line instead:

::


  cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=~/tmp/boost-1.60 ../

Finally, make and make install:

::


  make
  sudo make install

Compilation can take a long time, but it should in the end look something like this:


::


  Install the project...
  -- Install configuration: "RELWITHDEBINFO"
  -- Installing: /usr/local/lib/pkgconfig/libhs.pc
  -- Up-to-date: /usr/local/include/hs/hs.h
  -- Up-to-date: /usr/local/include/hs/hs_common.h
  -- Up-to-date: /usr/local/include/hs/hs_compile.h
  -- Up-to-date: /usr/local/include/hs/hs_runtime.h
  -- Installing: /usr/local/lib/libhs_runtime.a
  -- Installing: /usr/local/lib/libhs_runtime.so.4.2.0
  -- Installing: /usr/local/lib/libhs_runtime.so.4.2
  -- Installing: /usr/local/lib/libhs_runtime.so
  -- Installing: /usr/local/lib/libhs.a
  -- Installing: /usr/local/lib/libhs.so.4.2.0
  -- Installing: /usr/local/lib/libhs.so.4.2
  -- Installing: /usr/local/lib/libhs.so

Note that you may have to add /usr/local/lib to your ld search path


::


  echo "/usr/local/lib" | sudo tee --append /etc/ld.so.conf.d/usrlocal.conf
  sudo ldconfig