<p dir="ltr">Thanks for the guideline. I guess I'll just have to test some hardware and see how it runs. </p>
<div class="gmail_quote">On Apr 21, 2015 3:09 PM, "Peter Manev" <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Apr 21, 2015 at 7:16 PM, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>> wrote:<br>
> -----BEGIN PGP SIGNED MESSAGE-----<br>
> Hash: SHA1<br>
><br>
> A good rule of thumb is that if you want to run the full ET feed you<br>
> need 1 core per 50 mbit of traffic.<br>
<br>
I think it really depends on the traffic type and the particular set up.<br>
<br>
I have run full ET feed on 1Gbps pipes with much less HW than 1 core<br>
per 50mbit (aka 20 cores on 1 Gbps)<br>
(plus a core can be for example anything form 1.8 to 3.8GHz and more -<br>
and that really makes a difference as well )<br>
<br>
><br>
> On 4/21/2015 4:27 AM, Peter Fyon wrote:<br>
>> Hey everyone,<br>
>><br>
>> I'm looking to upgrade my snort setup at home to suricata. At the same<br>
>> time, I'm planning on upgrading hardware.<br>
>><br>
>> Unfortunately, the only benchmarks I can find are from back in 2011 or<br>
>> for setups handling substantially more traffic than I need (10gbit).<br>
>><br>
>> I was hoping some of you could give me examples of the hardware you're<br>
>> using, number of signatures, and the throughput you see.<br>
>><br>
>> My current box is an old netbook with a first gen atom cpu. With snort +<br>
>> nfqueue and 20000 signatures, it starts dropping packets around 25 mbit<br>
>> and multiple sessions. My ideal box would be able to handle<br>
>> ~700-1000mbit, with fewer signatures.<br>
>><br>
>> On the note of hardware, is it better to focus on more cores or higher<br>
>> cpu speed?<br>
>><br>
>> Thanks,<br>
>> Peter<br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br>
>><br>
><br>
><br>
> - --<br>
> Cooper Nelson<br>
> Network Security Analyst<br>
> UCSD ACT Security Team<br>
> <a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br>
> -----BEGIN PGP SIGNATURE-----<br>
> Version: GnuPG v2.0.17 (MingW32)<br>
><br>
> iQEcBAEBAgAGBQJVNoX/AAoJEKIFRYQsa8FWp/gH/3LH1iJTYR1qDXXKV3niXX5x<br>
> 3OLN5dPOZoFHqALur2SuyYrL2BwpfR+wahIiaT8mem8rvw5g1wt/36clDi+nvZ8R<br>
> 5yFcs2tpFj0xhFrt08Vucn+Mx+M22d8+Q8F4sHJEx7hYtr4/c4/K88rXUHjwprBH<br>
> 0jRYdrYYcizBamIbj3bx6eth7Mhj/xifeiJXB2ONtrMDZgs6Iy1zD8qxhc1OTwuM<br>
> 4sao0dfdCQvoWQj9XgAbwR8lPz3Xhl0oyCM8xg9ndfwbNa6F2pyF2sgFwkXgOU/m<br>
> Wa2LHdwq6g1IzB5wYc7blFeFov1Pqwyz/rBf8qknJCrUCBZ/fsIsdaZ0bJ50kwo=<br>
> =72Ks<br>
> -----END PGP SIGNATURE-----<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br>
<br>
<br>
<br>
--<br>
Regards,<br>
Peter Manev<br>
</blockquote></div>