[Oisf-users] Hardware considerations

Jonathan Ben-Joseph jbenjos at gmail.com
Thu Jan 5 17:56:26 UTC 2012 

Josh,


Do you have any notable modifications to the default Suricata configuration
to get that performance?


Thanks,
Jonathan

On Wed, Jan 4, 2012 at 3:07 PM, Josh White <josh at securemind.org> wrote:

> I 2nd that. I'm able to do ~1400 rules on a 1Gbps mostly saturated link
> with 12 cores and 32 GB of RAM.
>
> On Wed, Jan 4, 2012 at 11:00 AM, Martin Holste <mcholste at gmail.com> wrote:
>
>> My rule of thumb is one CPU per 100 Mb/sec and 2 GB RAM per 1000
>> rules.  So, you could monitor 100 Mb/sec using a ruleset of 1000 rules
>> on a single CPU with 2 GB RAM.  Assuming you want to run a large
>> ruleset of 8000 rules on 500 Mb/sec, you'll need 5 CPU's and 16 GB
>> RAM.  So, I'd go with at least a 6-core CPU and as much RAM as you can
>> stuff in there.  CPU and RAM are so cheap now, that the short answer
>> is always buy as much as you can.  We run Dell R710's which are fully
>> loaded with 16 logical CPU, 144 GB RAM and 10 TB usable disk, and we
>> got them for under $15k.  You can go on Newegg and put together a
>> pretty awesome system for under $5k, so it's really more about systems
>> management requirements than hardware specs.  Granted disk prices are
>> up in the air now due to the Thai floods, but CPU/RAM are still
>> incredibly commoditized.
>>
>> On Wed, Jan 4, 2012 at 9:48 AM, Jonathan Ben-Joseph <jbenjos at gmail.com>
>> wrote:
>> > Hello folks,
>> >
>> >
>> > First time poster here, long time lurker.
>> >
>> >
>> > Any suggestions on what kind of hardware should be utilized to run
>> Suricata
>> > effectively considering something like 500 Mbps of sustained traffic?
>> What
>> > RAM, CPU, etc. would be sufficient?
>> >
>> >
>> > Thanks,
>> >
>> > Jonathan
>> >
>> >
>> > _______________________________________________
>> > Oisf-users mailing list
>> > Oisf-users at openinfosecfoundation.org
>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120105/df10adef/attachment-0002.html>

More information about the Oisf-users mailing list