[Oisf-users] Sizing Suricata

Josh White josh at securemind.org
Fri Jun 22 20:25:32 UTC 2012


Assuming you are processing an average of 174,760 PPS "Average 2Gbps link
for my networks", you need a 12 core system running Suricata 1.3 Dev. ver.
to keep up with the traffic. However it's highly dependent on the type of
traffic you're trying to handle and the size of the packets.

On Fri, Jun 22, 2012 at 9:38 AM, Martin Holste <mcholste at gmail.com> wrote:

> We run about 800 Mb/sec on 16 cores, but we throw a lot of ram at it.
> You will definitely want to run with the ac full setting for the
> pattern matcher, and if you run an average amount of rules, you're
> looking at around 30 GB of RAM required to do that.  RAM is cheap, so
> I suggest maxing it out when you buy the box.
>
> My hunch (I don't have numbers to prove this) is that you should also
> look at the size of the caches on the CPU's and go with at least 16
> cores but the largest cache you can get.  If anyone has experience
> saying whether a few more MB of L2 cache is worth more than, say, 8
> more CPU's, that would be really interesting and helpful information.
>
> On Fri, Jun 22, 2012 at 4:30 AM, Peter Manev <petermanev at gmail.com> wrote:
> > Hi,
> >
> > More cores always help.
> > I would think Individual CPU's is better - but 64core for 1-2Gbit is
> > unnecessarily excessive i believe.
> > Suggestion - more RAM is always good to have/handy and cheep (depending
> on
> > the size of the rules set that you would like to run).
> > Just my opinion.
> >
> >
> > We are planning for some 10G traffic tests and we will publish/update the
> > High Perf Configuration in a couple of weeks (I hope).
> >
> > thanks
> >
> >
> >
> >
> > On Fri, Jun 22, 2012 at 11:11 AM, Peter Bates <peter.bates at ucl.ac.uk>
> wrote:
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >> Hello all
> >>
> >> I've been reading
> >>
> >>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/High_Performance_Configuration
> >> as a base for a planned upgrade to our existing system.
> >>
> >> We have about 1-2Gbit/sec on a 10G link, Intel ixgbe and will use
> >> PF_RING or AF_PACKET.
> >>
> >> I've been looking at the recent AMD 16C CPUs and seeing that you can
> >> buy a 4-CPU box resulting in 64 cores.
> >>
> >> Are more individual cores preferable to having faster individual CPUs?
> >>
> >> Thanks.
> >>
> >> - --
> >> Peter Bates
> >> Senior Computer Security Officer    Phone: +44(0)2076792049
> >> Information Services Division       Internal Ext: 32049
> >> University College London
> >> London WC1E 6BT
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v2.0.17 (MingW32)
> >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >>
> >> iQEcBAEBAgAGBQJP5DbWAAoJELhVoVpEMS6RSpYH/jO7KoZ+wOvx5R530qVxA7fR
> >> sv4YDAyEXCdV5XapxtQenxuR6nszvDSvTPdli56e8OY/5bZ4fkrjBvnfuaizjxTx
> >> EEoCiW5RVUzG8kTMnMexaX0B6dpETq7q2TltBPoUEcO27KPmdEJ+oYYVn5T+akuu
> >> 46ozv3yJrGluSO19zeD5HOpj6ZcDEYp3TywmDUOU9MsP8RhvAUXe8sk8NTH49oQv
> >> gA+OT66uddSST/U5UHezjBUemFZ5p5qpnVqwufuckvjeEgC+6/cTBOW5opSoMv8M
> >> m+tJnWt2Z6pne/fioKTOhnvlLKWzhh5FiFGMxsmFqQtyMRYnixfTa+NNx5XK2qE=
> >> =9aCH
> >> -----END PGP SIGNATURE-----
> >>
> >> _______________________________________________
> >> Oisf-users mailing list
> >> Oisf-users at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> >
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120622/d54487f7/attachment-0002.html>


More information about the Oisf-users mailing list