Suricata is a next generation IDS/IPS engine developed by the Open Information Security Foundation. This article describes the installation, setup and usage of Suricata with CUDA support on a Ubuntu 10.04 64bit. For 32 bit users, simply remove 64 occurances where you find them.
PreparationYou need to download both Developper driver and Cuda driver from nvidia website. I really mean both because Ubuntu nvidia drivers are not working with CUDA. I’ve first downloaded and installed CUDA toolkit for Ubuntu 9.04. It was straightforward:
sudo sh cudatoolkit_3.0_linux_64_ubuntu9.04.runTo install the nvidia drivers, you need to disconnect from graphical session and close gdm. Thus I’ve done a CTRL+Alt+F1 and I’ve logged in as normal user. Then I’ve simply run the install script:
sudo stop gdm sudo sh devdriver_3.0_linux_64_195.36.15.run sudo modprobe nvidia sudo start gdmAfter a normal graphical login, I was able to start working on suricata build
Suricata buildingI describe here compilation of 0.9.0 source. To do so, you can get latest release from OISF download page and extract it to your preferred directory:
wget http://openinfosecfoundation.org/download/suricata-0.9.0.tar.gz tar xf suricata-0.9.0.tar.gz cd suricata-0.9.0Compilation from git should be straight forward (if CUDA support is not broken) by doing:
git clone git://phalanx.openinfosecfoundation.org/oisf.git cd oisf ./autogen.shConfigure command has to be passed options to enable CUDA:
./configure –enable-debug –enable-cuda –with-cuda-includes=/usr/local/cuda/include/ –with-cuda-libraries=/usr/local/cuda/lib64/ –enable-nfqueue –prefix=/opt/suricata/ –enable-unittestsAfter that you can simply use
make sudo make installNow you’re ready to run.
Running suricata with CUDA supportLet’s first check, if previous step were correct by running unittests: sudo /opt/suricata/bin/suricata -uUCuda It should display a bunch of message and finish with a summary:
Now, it is time to configure Suricata. To do so we will first install configuration file in a standard location:==== TEST RESULTS ====PASSED: 43FAILED: 0======================
sudo mkdir /opt/suricata/etc sudo cp suricata.yaml classification.config /opt/suricata/etc/ sudo mkdir /var/log/suricata
Suricata needs some rules. We will use emerging threats one and use configuration method described by Victor Julien in his article.
wget http://www.emergingthreats.net/rules/emerging.rules.tar.gzcd /opt/suricata/etc/sudo tar xf /home/eric/src/suricata-0.9.0/emerging.rules.tar.gz
As our install location is not standard, we need to setup location of the rules by modifying suricata.yaml:
as to become:
The classification-file variable has to be modified too to become:
To be able to reproduce test, will use a pcap file obtained via tcpdump. For example my dump was obtained via:
sudo tcpdump -s0 -i br0 -w Desktop/br0.pcap
Now, let’s run suricata to check if it is working correctly:
sudo /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata.yaml -r /home/eric/Desktop/br0.pcap
Once done, we can edit suricata.yaml. We need to replace mpm-algo value:
#mpm-algo: b2gmpm-algo: b2g_cuda
Now, let’s run suricata with timing enable:
time sudo /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata.yaml -r /home/eric/Desktop/br0.pcap 2>/tmp/out.log
With Suricata 0.9.0, the run time for a 42Mo pcap file is with starting time deduced:
- 11s without CUDA
- 19s with CUDA
As said by Victor Julien during an IRC discussion, CUDA current performance is clearly suboptimal for now because packets are sent to the card one at a time. It is thus for the moment really slower than CPU version. He is working currently at an improved version which will fix this issue.
An updated code will be available soon. Stay tuned !