<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>Those concepts we described in SEPTun still apply, so have fun adjusting ;)</div><div><br></div><div>What about “partitioning” your machine</div><div><br></div><div>Cores 0-1 run OS, irq.</div><div><br></div><div>Cores 2-3 run Suricata management threads and maybe Bro master and proxies and logger process. If not, separate Bro management processes from Suricata management processes.</div><div><br></div><div>Cores 4-6 run Suri workers</div><div><br></div><div>Cores 4-12 run Bro workers (Bro is at least two times slower than Suri, but that depends a lot on the scripts running) - per process.</div><div><br></div><div>And pin all of that, adjusting as necessary.</div><div><br></div><div>14+ cores. A single CPU. 8 or 16GB per DIMM and use all memory channels. Keep it 1DPC.</div><div><br></div><div>Get yourself a X710 and a Xeon that supports DDIO.</div><div><br></div><div>Report back :-)</div><div><br>On Mar 9, 2018, at 10:02 AM, erik clark <<a href="mailto:philosnef@gmail.com">philosnef@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">Hmmm, 8? Likely 16. I dont have the hardware yet, trying to prepare ahead of time.<div><br></div><div>Would like to run about 10-15k et pro sigs.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 9, 2018 at 12:54 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_5814058081432487993moz-cite-prefix">How many cores?<div><div class="h5"><br>
<br>
On 3/9/2018 9:48 AM, erik clark wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<pre>So, I am looking at tuning suricata as best as possible on a limited
budget. I am figuring I have about 100 meg throughput possibly, 24-48 gigs
of ram, and ideally would like to run bro on the box as well. Looks like
that may not be sufficient to do this task, and was wondering what kind of
tuning could be done to handle a load of 48 gigs of ram. I also wanted to
shove moloch on there, but I am pretty positive the system cant handle it.
SEPtun2 is clearly out of scope for this. :D
</pre>
<br>
<fieldset class="m_5814058081432487993mimeAttachmentHeader"></fieldset>
<br>
</div></div><pre>______________________________<wbr>_________________
Suricata IDS Users mailing list: <a class="m_5814058081432487993moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@<wbr>openinfosecfoundation.org</a>
Site: <a class="m_5814058081432487993moz-txt-link-freetext" href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a class="m_5814058081432487993moz-txt-link-freetext" href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<wbr>support/</a>
List: <a class="m_5814058081432487993moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a>
Conference: <a class="m_5814058081432487993moz-txt-link-freetext" href="https://suricon.net" target="_blank">https://suricon.net</a>
Trainings: <a class="m_5814058081432487993moz-txt-link-freetext" href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/<wbr>training/</a></pre><span class="HOEnZb"><font color="#888888">
</font></span></blockquote><span class="HOEnZb"><font color="#888888">
<p><br>
</p>
<pre class="m_5814058081432487993moz-signature" cols="72">--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
<a class="m_5814058081432487993moz-txt-link-abbreviated" href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042</pre>
</font></span></div>
</blockquote></div><br></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span></span><br><span>Conference: <a href="https://suricon.net">https://suricon.net</a></span><br><span>Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></span></div></blockquote></body></html>