<div dir="ltr">We are currently running a cluster of six Suricata (IDS mode) boxes fed from a pair of Arista 7150. Each Arista is fed by a regeneration tap (which also feeds a Cisco NGA netflow appliance). We have two active borders. Each has 10GB up and 10GB down, for an effective 40GB max (though we're not saturating the links). Not quite what you're architecting from the sounds of it, but not too far off.<div><br></div><div>Three of the sensor boxes are production and each has a redundant pair, in case we loose power at an edge node. Fiber crossovers from each data center ensure each Arista 7150 aggregates a full set of traffic from both borders.</div><div><br></div><div>Each server (Dell R620) has 2x 10 physical core Xeons at 3.0GHz, 128GB of RAM, has has 1x Myricom <span style="font-size:12.8000001907349px">10G-PCIE2-8C2-2S NIC with the Sniffer10G firmware. Each server runs a single 32 thread Suricata instance (maxium number of ring buffers per Myricom port). We currently see around 250-500MBps on each port and run around 15,000 Emerging Threats Pro rules.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">We use EVE JSON output with the printable_packet option. Logs are ingested by a Splunk Universal Forwarder agent on each box which feeds our Splunk indexer where analysis takes place. We see around a million events per day, which ends up being about 1-2GB of Splunk indexing volume per day.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">Additionally, we feed 3x Dell R620 running Bro (in testing), and we have a spare R620 for staging/testing.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">Things just went into production, so I'm still working out a few kinks.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">Hope this helps.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 5, 2015 at 1:57 PM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Douglas,<br>
<br>
I have not - but I am willing to help you out in that every step of<br>
the way - should you consider the offer.<br>
<br>
There would be a lot of considerations that will need to be taken into<br>
account prior getting the HW (i suspect)<br>
<br>
An initial question if I may:<br>
You mention IDS/IPS - is one or the other or is it both ?<br>
<br>
Thank you<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On Thu, Feb 5, 2015 at 1:59 PM, Duckworth, Douglas C <<a href="mailto:duckd@tulane.edu">duckd@tulane.edu</a>> wrote:<br>
> -----BEGIN PGP SIGNED MESSAGE-----<br>
> Hash: SHA1<br>
><br>
> Hello<br>
><br>
> We are developing a new high-speed network and are looking into IDS /<br>
> IPS solutions.<br>
><br>
> Has anyone ran suricata at 40Gb?<br>
><br>
> I found Tilera as one hardware vendor but appreciate any<br>
> recommendations for others.<br>
><br>
> <a href="http://www.openinfosecfoundation.org/index.php/download-suricata/173-oisf-welcomes-tilera-as-a-gold-level-consortium-member" target="_blank">http://www.openinfosecfoundation.org/index.php/download-suricata/173-oisf-welcomes-tilera-as-a-gold-level-consortium-member</a><br>
><br>
> <a href="http://www.tilera.com/sites/default/files/productbriefs/TILExtreme-Gx-PB040-02_web.pdfhttp://www.tilera.com/sites/default/files/productbriefs/TILExtreme-Gx-PB040-02_web.pdf" target="_blank">http://www.tilera.com/sites/default/files/productbriefs/TILExtreme-Gx-PB040-02_web.pdfhttp://www.tilera.com/sites/default/files/productbriefs/TILExtreme-Gx-PB040-02_web.pdf</a><br>
><br>
> Thanks<br>
> Doug<br>
><br>
> - --<br>
> Thanks<br>
><br>
> Douglas Charles Duckworth<br>
> Unix Administrator<br>
> Tulane University<br>
> Technology Services<br>
> 1555 Poydras Ave<br>
> NOLA -- 70112<br>
><br>
> E: <a href="mailto:duckd@tulane.edu">duckd@tulane.edu</a><br>
> O: <a href="tel:504-988-9341" value="+15049889341">504-988-9341</a><br>
> F: <a href="tel:504-988-8505" value="+15049888505">504-988-8505</a><br>
> -----BEGIN PGP SIGNATURE-----<br>
> Version: GnuPG v1<br>
><br>
> iQIcBAEBAgAGBQJU072YAAoJEP/Xbmk1axQptuEP/ilJ7Rt0Ep7ApdypLxnfKuV1<br>
> NzFRqkusjwV6SdOQ7pC0vKiFASwSVyivkSbNG8NfdU565qHj8uuXRt+Qm0zDMRkN<br>
> /IbKMcs5zxtPVA0OYdm8VcyUFO7AmDrOqZj7Du3o7RjmDn3JRTfICZDrDNTadxXX<br>
> GA/e8aXZx7a6EDU1basILY+71hueu9D8STto2EWdbNuZPtIvQHt5UygzdPg+N/64<br>
> XW0TT+f8TAqxw6UZvhw3EHeI+UyoB+JQWbUypbp7+XXMlnj/xpHoAb0JQwCq/Zjd<br>
> BL3scTTvU3LKAmMGkG3a20xORsn9Tm/3yTRnOzrhQOpkfXBgJuUncrA7Nar0K9AM<br>
> 6TkJzRhd2MpdPP4RtnYCO4z+KVhkcL1w8UfZlEFf2R/AUUHXNPI2kn/pI1z39qxI<br>
> qFyBeVt5N+ntFfd+wNAwqwKOmYDJVPBQixIo+U0jg2b2SLoaKFHEeyLaEXBYAlRU<br>
> 1IsWHeJz1Uci0ob63JS9CjO2gLyewqbTSQjo6L5jZayDCPEGlMF4XN95FCy5et0s<br>
> L/NJ6roHGq6RoFkV6xjfqPZBUGvZgjQJcq60n659r7QNlbeudI6S1cTRLb5TdkOH<br>
> /9hk5mWmhRtFtoUZr6UOM2U0Xc6Bhy+Cch4ThhfaOyaBRDkrktd5dNW6WbXVYCAa<br>
> tQXjcGH0XRyeT55FgHP2<br>
> =lILb<br>
> -----END PGP SIGNATURE-----<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Regards,<br>
Peter Manev<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Brandon Lattin<div>Security Analyst<br><div>University of Minnesota - University Information Security<br>Office: 612-626-6672</div></div></div></div>
</div>