[Oisf-users] Hardware considerations

Josh White josh at securemind.org
Tue Jan 10 00:49:37 UTC 2012


I'm going to send a paper out to the list soon "hopefully" with discussion
of modifications / performance measurements. The most significant thing I
can say is that from experience AutoFP enabled, DDR-3 and AMD Processors
seem to all have the greatest impacts. With your CPU's make sure you have
at least 1 MB of L2 Cache per core, and if you can help it at least 256 KB
of L1 per core.

Desktop CPU's tend to bottleneck in the CPU to memory connect especially
when Suricata is deployed on larger HPC systems. AMD supports a
HyperTransport bus that reduces the CPU to CPU lag that occurs when
launching a lot of threads. I found that when you hit about 192 threads CPU
to CPU and CPU to Memory communication becomes the greatest issue.

On Thu, Jan 5, 2012 at 12:56 PM, Jonathan Ben-Joseph <jbenjos at gmail.com>wrote:

> Josh,
>
>
> Do you have any notable modifications to the default Suricata
> configuration to get that performance?
>
>
> Thanks,
> Jonathan
>
> On Wed, Jan 4, 2012 at 3:07 PM, Josh White <josh at securemind.org> wrote:
>
>> I 2nd that. I'm able to do ~1400 rules on a 1Gbps mostly saturated link
>> with 12 cores and 32 GB of RAM.
>>
>> On Wed, Jan 4, 2012 at 11:00 AM, Martin Holste <mcholste at gmail.com>wrote:
>>
>>> My rule of thumb is one CPU per 100 Mb/sec and 2 GB RAM per 1000
>>> rules.  So, you could monitor 100 Mb/sec using a ruleset of 1000 rules
>>> on a single CPU with 2 GB RAM.  Assuming you want to run a large
>>> ruleset of 8000 rules on 500 Mb/sec, you'll need 5 CPU's and 16 GB
>>> RAM.  So, I'd go with at least a 6-core CPU and as much RAM as you can
>>> stuff in there.  CPU and RAM are so cheap now, that the short answer
>>> is always buy as much as you can.  We run Dell R710's which are fully
>>> loaded with 16 logical CPU, 144 GB RAM and 10 TB usable disk, and we
>>> got them for under $15k.  You can go on Newegg and put together a
>>> pretty awesome system for under $5k, so it's really more about systems
>>> management requirements than hardware specs.  Granted disk prices are
>>> up in the air now due to the Thai floods, but CPU/RAM are still
>>> incredibly commoditized.
>>>
>>> On Wed, Jan 4, 2012 at 9:48 AM, Jonathan Ben-Joseph <jbenjos at gmail.com>
>>> wrote:
>>> > Hello folks,
>>> >
>>> >
>>> > First time poster here, long time lurker.
>>> >
>>> >
>>> > Any suggestions on what kind of hardware should be utilized to run
>>> Suricata
>>> > effectively considering something like 500 Mbps of sustained traffic?
>>> What
>>> > RAM, CPU, etc. would be sufficient?
>>> >
>>> >
>>> > Thanks,
>>> >
>>> > Jonathan
>>> >
>>> >
>>> > _______________________________________________
>>> > Oisf-users mailing list
>>> > Oisf-users at openinfosecfoundation.org
>>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> >
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120109/2d6689f1/attachment-0002.html>


More information about the Oisf-users mailing list