[Oisf-users] Hardware considerations

Martin Holste mcholste at gmail.com
Wed Jan 4 16:00:13 UTC 2012

My rule of thumb is one CPU per 100 Mb/sec and 2 GB RAM per 1000
rules.  So, you could monitor 100 Mb/sec using a ruleset of 1000 rules
on a single CPU with 2 GB RAM.  Assuming you want to run a large
ruleset of 8000 rules on 500 Mb/sec, you'll need 5 CPU's and 16 GB
RAM.  So, I'd go with at least a 6-core CPU and as much RAM as you can
stuff in there.  CPU and RAM are so cheap now, that the short answer
is always buy as much as you can.  We run Dell R710's which are fully
loaded with 16 logical CPU, 144 GB RAM and 10 TB usable disk, and we
got them for under $15k.  You can go on Newegg and put together a
pretty awesome system for under $5k, so it's really more about systems
management requirements than hardware specs.  Granted disk prices are
up in the air now due to the Thai floods, but CPU/RAM are still
incredibly commoditized.

On Wed, Jan 4, 2012 at 9:48 AM, Jonathan Ben-Joseph <jbenjos at gmail.com> wrote:
> Hello folks,
> First time poster here, long time lurker.
> Any suggestions on what kind of hardware should be utilized to run Suricata
> effectively considering something like 500 Mbps of sustained traffic? What
> RAM, CPU, etc. would be sufficient?
> Thanks,
> Jonathan
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list