May 232010
 
Suricata is a next generation IDS/IPS engine developed by the Open Information Security Foundation. This article describes the installation, setup and usage of Suricata with CUDA support on a Ubuntu 10.04 64bit. For 32 bit users, simply remove 64 occurances where you find them.

Preparation

You need to download both Developper driver and Cuda driver from nvidia website. I really mean both because Ubuntu nvidia drivers are not working with CUDA. I’ve first downloaded and installed CUDA toolkit for Ubuntu 9.04. It was straightforward:
sudo sh cudatoolkit_3.0_linux_64_ubuntu9.04.run
To install the nvidia drivers, you need to disconnect from graphical session and close gdm. Thus I’ve done a CTRL+Alt+F1 and I’ve logged in as normal user. Then I’ve simply run the install script:
sudo stop gdm sudo sh devdriver_3.0_linux_64_195.36.15.run sudo modprobe nvidia sudo start gdm
After a normal graphical login, I was able to start working on suricata build

Suricata building

I describe here compilation of 0.9.0 source. To do so, you can get latest release from OISF download page and extract it to your preferred directory:
wget http://openinfosecfoundation.org/download/suricata-0.9.0.tar.gz tar xf suricata-0.9.0.tar.gz cd suricata-0.9.0
Compilation from git should be straight forward (if CUDA support is not broken) by doing:
git clone git://phalanx.openinfosecfoundation.org/oisf.git cd oisf ./autogen.sh
Configure command has to be passed options to enable CUDA:
./configure –enable-debug –enable-cuda –with-cuda-includes=/usr/local/cuda/include/ –with-cuda-libraries=/usr/local/cuda/lib64/ –enable-nfqueue –prefix=/opt/suricata/ –enable-unittests
After that you can simply use
make sudo make install
Now you’re ready to run.

Running suricata with CUDA support

Let’s first check, if previous step were correct by running unittests: sudo /opt/suricata/bin/suricata -uUCuda It should display a bunch of message and finish with a summary:
==== TEST RESULTS ====
PASSED: 43
FAILED: 0
======================
Now, it is time to configure Suricata. To do so we will first install configuration file in a standard location:
sudo mkdir /opt/suricata/etc sudo cp suricata.yaml classification.config /opt/suricata/etc/ sudo mkdir /var/log/suricata
Suricata needs some rules. We will use emerging threats one and use configuration method described by Victor Julien in his article.
wget http://www.emergingthreats.net/rules/emerging.rules.tar.gz
cd /opt/suricata/etc/
sudo tar xf /home/eric/src/suricata-0.9.0/emerging.rules.tar.gz
As our install location is not standard, we need to setup location of the rules by modifying suricata.yaml:
default-rule-path: /etc/suricata/rules/
as to become:
default-rule-path: /opt/suricata/etc/rules/
The classification-file variable has to be modified too to become:
classification-file: /opt/suricata/etc/classification.config
To be able to reproduce test,  will use a pcap file obtained via tcpdump. For example my dump was obtained via:
sudo tcpdump -s0 -i br0 -w Desktop/br0.pcap
Now, let’s run suricata to check if it is working correctly:
sudo /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata.yaml -r /home/eric/Desktop/br0.pcap
Once done, we can edit suricata.yaml. We need to replace mpm-algo value:
#mpm-algo: b2g
mpm-algo: b2g_cuda
Now, let’s run suricata with timing enable:
time sudo /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata.yaml -r /home/eric/Desktop/br0.pcap 2>/tmp/out.log
With Suricata 0.9.0, the run time for a 42Mo pcap file is with starting time deduced:
  • 11s without CUDA
  • 19s with CUDA

Conclusion

As said by Victor Julien during an IRC discussion, CUDA current performance is clearly suboptimal for now because packets are sent to the card one at a time. It is thus for the moment really slower than CPU version. He is working currently at an improved version which will fix this issue.
An updated code will be available soon. Stay tuned !

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>