[Oisf-users] Sizing Suricata

Martin Holste mcholste at gmail.com
Fri Jun 22 13:38:15 UTC 2012


We run about 800 Mb/sec on 16 cores, but we throw a lot of ram at it.
You will definitely want to run with the ac full setting for the
pattern matcher, and if you run an average amount of rules, you're
looking at around 30 GB of RAM required to do that.  RAM is cheap, so
I suggest maxing it out when you buy the box.

My hunch (I don't have numbers to prove this) is that you should also
look at the size of the caches on the CPU's and go with at least 16
cores but the largest cache you can get.  If anyone has experience
saying whether a few more MB of L2 cache is worth more than, say, 8
more CPU's, that would be really interesting and helpful information.

On Fri, Jun 22, 2012 at 4:30 AM, Peter Manev <petermanev at gmail.com> wrote:
> Hi,
>
> More cores always help.
> I would think Individual CPU's is better - but 64core for 1-2Gbit is
> unnecessarily excessive i believe.
> Suggestion - more RAM is always good to have/handy and cheep (depending on
> the size of the rules set that you would like to run).
> Just my opinion.
>
>
> We are planning for some 10G traffic tests and we will publish/update the
> High Perf Configuration in a couple of weeks (I hope).
>
> thanks
>
>
>
>
> On Fri, Jun 22, 2012 at 11:11 AM, Peter Bates <peter.bates at ucl.ac.uk> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> Hello all
>>
>> I've been reading
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/High_Performance_Configuration
>> as a base for a planned upgrade to our existing system.
>>
>> We have about 1-2Gbit/sec on a 10G link, Intel ixgbe and will use
>> PF_RING or AF_PACKET.
>>
>> I've been looking at the recent AMD 16C CPUs and seeing that you can
>> buy a 4-CPU box resulting in 64 cores.
>>
>> Are more individual cores preferable to having faster individual CPUs?
>>
>> Thanks.
>>
>> - --
>> Peter Bates
>> Senior Computer Security Officer    Phone: +44(0)2076792049
>> Information Services Division       Internal Ext: 32049
>> University College London
>> London WC1E 6BT
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQEcBAEBAgAGBQJP5DbWAAoJELhVoVpEMS6RSpYH/jO7KoZ+wOvx5R530qVxA7fR
>> sv4YDAyEXCdV5XapxtQenxuR6nszvDSvTPdli56e8OY/5bZ4fkrjBvnfuaizjxTx
>> EEoCiW5RVUzG8kTMnMexaX0B6dpETq7q2TltBPoUEcO27KPmdEJ+oYYVn5T+akuu
>> 46ozv3yJrGluSO19zeD5HOpj6ZcDEYp3TywmDUOU9MsP8RhvAUXe8sk8NTH49oQv
>> gA+OT66uddSST/U5UHezjBUemFZ5p5qpnVqwufuckvjeEgC+6/cTBOW5opSoMv8M
>> m+tJnWt2Z6pne/fioKTOhnvlLKWzhh5FiFGMxsmFqQtyMRYnixfTa+NNx5XK2qE=
>> =9aCH
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



More information about the Oisf-users mailing list