I 2nd that. I'm able to do ~1400 rules on a 1Gbps mostly saturated link with 12 cores and 32 GB of RAM. <br><br><div class="gmail_quote">On Wed, Jan 4, 2012 at 11:00 AM, Martin Holste <span dir="ltr"><<a href="mailto:mcholste@gmail.com">mcholste@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">My rule of thumb is one CPU per 100 Mb/sec and 2 GB RAM per 1000<br>
rules. So, you could monitor 100 Mb/sec using a ruleset of 1000 rules<br>
on a single CPU with 2 GB RAM. Assuming you want to run a large<br>
ruleset of 8000 rules on 500 Mb/sec, you'll need 5 CPU's and 16 GB<br>
RAM. So, I'd go with at least a 6-core CPU and as much RAM as you can<br>
stuff in there. CPU and RAM are so cheap now, that the short answer<br>
is always buy as much as you can. We run Dell R710's which are fully<br>
loaded with 16 logical CPU, 144 GB RAM and 10 TB usable disk, and we<br>
got them for under $15k. You can go on Newegg and put together a<br>
pretty awesome system for under $5k, so it's really more about systems<br>
management requirements than hardware specs. Granted disk prices are<br>
up in the air now due to the Thai floods, but CPU/RAM are still<br>
incredibly commoditized.<br>
<div><div class="h5"><br>
On Wed, Jan 4, 2012 at 9:48 AM, Jonathan Ben-Joseph <<a href="mailto:jbenjos@gmail.com">jbenjos@gmail.com</a>> wrote:<br>
> Hello folks,<br>
><br>
><br>
> First time poster here, long time lurker.<br>
><br>
><br>
> Any suggestions on what kind of hardware should be utilized to run Suricata<br>
> effectively considering something like 500 Mbps of sustained traffic? What<br>
> RAM, CPU, etc. would be sufficient?<br>
><br>
><br>
> Thanks,<br>
><br>
> Jonathan<br>
><br>
><br>
</div></div>> _______________________________________________<br>
> Oisf-users mailing list<br>
> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
</blockquote></div><br>