[Solved] IDS log reports "hs" is an invalid mpm algo

Started by j0bb13, May 07, 2020, 12:21:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 07, 2020, 12:21:51 PM Last Edit: May 07, 2020, 01:03:58 PM by j0bb13
My issue:
I can't seem to enable Hyperscan in the IDS configuration. The Aho–Corasick algorithm seems to work fine.

My analysis:
The IDS log shows the following when trying to enable Intrusion Detection:
Code Select
<Error> -- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid mpm algo supplied in the yaml conf file: "hs"

The /usr/local/etc/suricata/suricata.yaml file specifies "mpm-algo:  hs ". (yes, those extra spaces are in there)

I ran "suricata --build-info | grep Hyperscan" to check if suricata has hyperman support and the result was "Hyperscan support:         yes". So suricata was built with hyperscan support.

My system:
Version: OPNsense 20.1.6-amd64
VM: KVM container in Proxmox
Host: Shuttle XPC DS10U (Celeron 4205U) with 8GB RAM and 240GB SSDs in RAID1

The required packages were installed by default:
hyperscan   4.7.0_3   19.3MiB
suricata   4.1.8   6.05MiB

My question:
Could someone help me figure out why hyperscan is reported to be an invalid mpm algorithm? The system is practically a vanilla OPNsense installation and suricata reports it was built with hyperscan support.
May 07, 2020, 12:26:29 PM #1
Always post your full version info. My magic 8-Ball says you installed i386 (32 bit version).


Cheers,
Franco
May 07, 2020, 12:38:14 PM #2
PS: I don't have this issue... or maybe Proxmox isn't passing the relevant CPU features that Hyperscan requires.
May 07, 2020, 12:46:01 PM #3 Last Edit: May 07, 2020, 01:03:42 PM by j0bb13
Oops, forgot. I've added -amd64 to my original post.

Also, there doesn't seem to be SSSE3 in the default cpu model (kvm64). So that might very well be the issue. Thanks!
Now I just have to figure out which of the +-30 cpu options I can best select for the VM hardware in Proxmox.

Edit:
Never mind, there is a "host" option at the bottom of the cpu list. I'll try that one later this week.

Edit 2:
Cool! I changed the cpu type to "host" and it just worked. No reinstall needed. The only downside is that my VM is now less "portable", but I can live with that.

Maybe it's handy to mention in the documentation that SSE3 is required for Hyperscan and that VM solutions not necessarily have that flag set for their default CPU?
https://docs.opnsense.org/manual/virtuals.html
Print
Go Up Pages1
User actions