Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6


Installation with CUDA and PFRING on Scientific Linux 6

For setup and install you need to be root:
mkdir /root/src
cd /root/src

Pre installation requirements

Install the following packages, to make sure you have everything needed for the
installation:

  yum install mpfr-2.4.1-6.el6.x86_64 cpp-4.4.4-13.el6.x86_64 ppl-0.10.2-
  11.el6.x86_64 \
  cloog-ppl-0.15.7-1.2.el6.x86_64 gcc-4.4.4-13.el6.x86_64 kernel-devel-2.6.32-
  131.2.1.el6.x86_64 \
  pcre-devel-7.8-3.1.el6.x86_64 libpcap-devel-1.0.0-
  6.20091201git117cb5.el6.x86_64 \
  yum-plugin-priorities-1.1.26-11.el6.noarch yum-conf-sl6x-1-1.noarch libyaml-
  0.1.3-1.el6.rf.x86_64 \
  libyaml-devel-0.1.3-1.el6.rf.x86_64 libnet-1.1.2.1-2.2.el6.rf.x86_64 flex-
  2.5.35-8.el6.x86_64 \
  bison-2.4.1-5.el6.x86_64 gcc-c++-4.4.4-13.el6.x86_64


CUDA

Download and install NVIDIA CUDA drivers:

  wget http://us.download.nvidia.com/XFree86/Linux-x86_64/270.41.19/NVIDIA-
  Linux-x86_64-270.41.19.run
  chmod +x NVIDIA-Linux-x86_64-270.41.19.run
  ./NVIDIA-Linux-x86_64-270.41.19.run

You also need to download and install the CUDA toolkit for RHEL6 :

  wget http://developer.download.nvidia.com/compute/cuda/4_0/toolkit/
  cudatoolkit_4.0.17_linux_64_rhel6.0.run
  chmod +x cudatoolkit_4.0.17_linux_64_rhel6.0.run
  ./cudatoolkit_4.0.17_linux_64_rhel6.0.run

Make sure the kernel modules are loaded:

  /sbin/modprobe -r nouveau && /sbin/modprobe nvidia

To ensure the proper NVIDIA CUDA modules get loaded on reboot, add the above
line to your /etc/rc.local file.

PF_RING

Go to your download directory and get the latest PF_RING:

     svn export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ pfring-svn-
     latest

Compile and install
Next, enter the following commands for configuration and installation:

     cd pfring-svn-latest/kernel
     make && sudo make install
     cd ../userland/lib
     ./configure --prefix=/usr/local/pfring && make && sudo make install
     cd ../libpcap-1.1.1-ring
     ./configure --prefix=/usr/local/pfring && make && sudo make install
     cd ../tcpdump-4.1.1
     ./configure --prefix=/usr/local/pfring && make && sudo make install

Load the pf_ring kernel module:

  /sbin/modprobe pf_ring

To ensure the pf_ring module gets loaded on reboot, add the above line to your
/etc/rc.local file.

Suricata

Download and install Suricata:

  wget http://www.openinfosecfoundation.org/download/suricata-1.1beta2.tar.gz

And unpack it:

  tar -xvzf suricata-1.1beta2.tar.gz

Change to the unpacked directory:

  cd suricata-1.1beta2

Now compile and install Suricata with PF_RING and CUDA support:

  ./configure --enable-gccprotect --enable-profiling --enable-cuda --with-cuda-
  includes=/usr/local/cuda/include \
  --with-cuda-libraries=/usr/local/cuda/lib64 --enable-pfring --with-libpfring-
  libraries=/usr/local/lib \
  --with-libpfring-includes=/usr/local/include --with-libpcap-libraries=/usr/
  local/lib --with-libpcap-includes=/usr/local/include
  make
  make install

Continue with the Basic_Setup
Next, you need to edit max-pending-packets in your /etc/suricata/suricata.yaml.
If you don't have one, download a generic one to get started:

  cd /etc/suricata
  wget https://rules.emergingthreatspro.com/open-nogpl/suricata/suricata-
  open.yaml

Edit your suricata-open.yaml file accordingly.
The number of packets allowed to be processed simultaneously can be whatever
you want but it is recommended that it be 4000 or more.
For example:

  max-pending-packets: 12288

Next make sure the following line is present in the multi pattern algorithm
section:

  mpm-algo: b2g_cuda


Rules

Read the information in Rule_Management_with_Oinkmaster
Add rules to suricata:

  cd /etc/suricata
  wget https://rules.emergingthreatspro.com/open-nogpl/suricata/
  emerging.rules.tar.gz
  tar -xvzf emerging.rules.tar.gz

Make sure your .yaml file includes the /etc/suricata/rules/emerging-*.rules
files (they may need to be uncommented).
Run Suricata as followed:

  cd /etc/suricata
  /usr/local/bin/suricata -c /etc/suricata/suricata.yaml\
  --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow


  touch /var/lock/subsys/local


References

PF_RING
http://www.ntop.org/products/pf_ring/
