Autogenerated on 2012-01-11
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104


Installation with CUDA and PF RING on Ubuntu server 11.04

THIS WOULD NOT WORK ON A VIRTUAL MACHINE!
This guide is written using:
Ubuntu Server 11.04
Linux ubuntu 2.6.38-8-generic x86_64 GNU/Linux

Pre installation requirements


  apt-get update
  apt-get upgrade

To get the CUDA toolkit, enter:

  http://developer.nvidia.com/cuda-toolkit-40

Pick up the correct NVIDIA drivers for your card and system

  http://www.nvidia.com/Download/index.aspx?lang=en-us

Go to your download directory
chmod the 2 *.run files that you just downloaded.
For example:

  chmod 655 cudatoolkit_4.0.17_linux_64_ubuntu10.10.run
  chmod 655 NVIDIA-Linux-x86_64-280.13.run


  sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
  build-essential autoconf automake libtool libpcap-dev libnet1-dev \
  libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
  make flex bison git

Run the cuda toolkit installation package:

  sudo ./cudatoolkit_4.0.17_linux_64_ubuntu10.10.run

Close all windows and as you are logged in press:

  Ctr+Alt+F1

Log in with your credentials

  sudo -i

And enter your password
Stop the x server:

  /etc/init.d/gdm stop

Uninstall xserver video drivers:

  apt-get remove --purge xserver-xorg-video-nouveau

Go to the directory where you downloaded nvidia/cuda drivers.
Run the NVIDIA*******.run:

  ./NVIDIA********.run

Ok and yes your way out.
At some point it will ask you to make a special configuration file to disable a
"nouveau"
driver that the system is currently using - say yes!
Reboot:

  shutdown -r now

After reboot log in as you would normally do through the GUI
Log in as you would normally.
Go to shell:

  Ctrl+Alt+F1

Type in your credentials and pass

  sudo -i

Stop the xserver again:

  /etc/init.d/gdm stop

Run the NVIDIA driver again.
This time it would finish and be successful....
Reboot:

  shutdown -r now

After start you would notice that the display has much better resolution - it
is a good thing.
Log in as you would normally.
Because the 11.04 Ubuntu comes with gcc version 4.5 by default, you need to
install gcc 4.4 since you must use 4.4 for the cuda compilation:

  apt-get install gcc-4.4 gcc-4.4-base g++-4.4

Then we switch and make ubuntu use the gcc 4.4 by default:

  sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.5 40 --
  slave /usr/bin/g++ g++ /usr/bin/g++-4.5
  sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.4 60 --
  slave /usr/bin/g++ g++ /usr/bin/g++-4.4

Make sure that this is the case:

  sudo update-alternatives --config gcc

""

  update-alternatives --config gcc (as root)

There are 2 choices for the alternative gcc (providing /usr/bin/gcc).


    Selection    Path              Priority   Status
  ------------------------------------------------------------
  * 0            /usr/bin/gcc-4.4   60        auto mode
    1            /usr/bin/gcc-4.4   60        manual mode
    2            /usr/bin/gcc-4.5   40        manual mode

  Press enter to keep the current choice[*], or type selection number  (as
  root)
  ""


PF_RING installation.

Install pre-requisites:

  cd /opt
  apt-get install subversion gobjc++-4.4-multilib gobjc++-4.4

Get the latest PF_RING:

  svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ PF_RING

Install PF_RING:

  cd /kernel
  make && make install
  sudo insmod ./pf_ring.ko
  cd ../userland
  make && make install
  cd /lib
  ./configure && make && make install
  cd ../libpcap
  ./configure && make && make install
  cd ../examples
  echo "options pf_ring transparent_mode=0 min_num_slots=32768
  enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf

Check info:

  cat /proc/net/pf_ring/info
  ""
  cd ../kernel
  cat /proc/net/pf_ring/info
  PF_RING Version     : 4.7.3 ($Revision: exported$)
  Ring slots          : 4096
  Slot version        : 13
  Capture TX          : Yes [RX+TX]
  IP Defragment       : No
  Socket Mode         : Standard
  Transparent mode    : Yes (mode 0)
  Total rings         : 0
  Total plugins       : 0

  ""

Check functionality:

  ./pfcount -i eth0

You should see something even if you have no traffic at the moment:
""
cd /opt/PF_RING/userland/examples
./pfcount -i eth0
Using PF_RING v.4.7.3
Capturing from eth0 [88:AE:1D:56:90:FA]

  1. Device RX channels: 1
  2. Polling threads: 1 =========================
     Absolute Stats: [0 pkts rcvd][0 pkts dropped]
     Total Pkts=0/Dropped=0.0 %
     0 pkts - 0 bytes =========================

=========================
Absolute Stats: [0 pkts rcvd][0 pkts dropped]
Total Pkts=0/Dropped=0.0 %
0 pkts - 0 bytes [0.00 pkt/sec - 0.00 Mbit/sec] =========================
Actual Stats: 0 pkts [1'000.32 ms][0.00 pkt/sec] =========================
^CLeaving... =========================
Absolute Stats: [0 pkts rcvd][0 pkts dropped]
Total Pkts=0/Dropped=0.0 %
0 pkts - 0 bytes [0.00 pkt/sec - 0.00 Mbit/sec] =========================
Actual Stats: 0 pkts [629.37 ms][0.00 pkt/sec] =========================

  cd /opt/PF_RING/userland/examples

""

Suricata

Go to directory of your choice and get Suricata:

  git clone git://phalanx.openinfosecfoundation.org/oisf.git
  cd oisf/

Configure:

  ./autogen.sh
  ./configure --enable-gccprotect --enable-profiling --enable-cuda --with-cuda-
  includes=/usr/local/cuda/include \
  --with-cuda-libraries=/usr/local/cuda/lib64 --enable-pfring

You should get at the end:
""

  Suricata Configuration:
    NFQueue support:          no
    IPFW support:             no
    PF_RING support:          yes
    Prelude support:          no
    Unit tests enabled:       no
    Debug output enabled:     no
    Debug validation enabled: no
    CUDA enabled:             yes
    DAG enabled:              no
    Profiling enabled:        yes
    GCC Protect enabled:      yes
    GCC march native enabled: yes
    GCC Profile enabled:      no
    Unified native time:      no
    Non-bundled htp:          no
    PCRE sljit:               no


""
Install:

  make && make install
  ldconfig

Verify:

  suricata --build-info

  [1840] 13/8/2011 -- 14:26:39 - (suricata.c:622) <Info> (main) -- This is
  Suricata version 1.1beta2 (rev b3f7e6a)
  [1840] 13/8/2011 -- 14:26:39 - (suricata.c:507) <Info> (SCPrintBuildInfo) -
  - Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 CUDA PF_RING LIBCAP_NG
  LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK
  [1840] 13/8/2011 -- 14:26:39 - (suricata.c:521) <Info> (SCPrintBuildInfo) -
  - 64-bits, Little-endian architecture
  [1840] 13/8/2011 -- 14:26:39 - (suricata.c:523) <Info> (SCPrintBuildInfo) -
  - GCC version 4.4.5, C version 199901
  [1840] 13/8/2011 -- 14:26:39 - (suricata.c:529) <Info> (SCPrintBuildInfo) -
  - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
  [1840] 13/8/2011 -- 14:26:39 - (suricata.c:532) <Info> (SCPrintBuildInfo) -
  - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
  [1840] 13/8/2011 -- 14:26:39 - (suricata.c:535) <Info> (SCPrintBuildInfo) -
  - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
  [1840] 13/8/2011 -- 14:26:39 - (suricata.c:538) <Info> (SCPrintBuildInfo) -
  - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
  [1840] 13/8/2011 -- 14:26:39 - (suricata.c:541) <Info> (SCPrintBuildInfo) -
  - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
  [1840] 13/8/2011 -- 14:26:39 - (suricata.c:545) <Info> (SCPrintBuildInfo) -
  - compiled with -fstack-protector
  [1840] 13/8/2011 -- 14:26:39 - (suricata.c:551) <Info> (SCPrintBuildInfo) -
  - compiled with _FORTIFY_SOURCE=2

Run Suricata:

  suricata -c /etc/suricata/suricata.yaml\
  --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow

