[Oisf-users] running Suricata on cisco ucs
Duarte Silva
duarte.silva at serializing.me
Wed Oct 21 16:01:19 UTC 2015
Hi Risto,
depends very much on your rule set. With 8Gb and 8 cores I was able to handle
200Mbps with small bursts of up to ~500Mbps without drops. However, I did have
a tuned configuration, based on the environment (servers, users, traffic, etc.).
I don't remember the number of rules.
Cheers,
Duarte
PS: if memory serves me right, in workers run mode and network card queues
affinity setup, you're limited to use 8 cores for the detection engine since the
virtual cards only support 8 queues
On Wednesday 21 October 2015 13:35:54 Risto Vaarandi wrote:
> > From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-
> > users-bounces at lists.openinfosecfoundation.org] On Behalf Of Risto
> > Vaarandi
> > Sent: Wednesday, October 21, 2015 12:35 PM
> > To: oisf-users at lists.openinfosecfoundation.org
> > Subject: [Oisf-users] running Suricata on cisco ucs
> >
> > Hi all,
> >
> > Few days ago, I was offered unused cisco UCS servers for running Suricata.
> > Since UCS hardware should accept any recent Linux distribution without
> > issues, my plan is to install centos7 on top of an UCS server and use it
> > for running Suricata. However, the UCS boxes have vic1340 network
> > adapters, and I was wondering how well are they suited for packet capture
> > in 10Gbit/s networks. I know that Intel 10Gbit/s network cards that use
> > the 'ixgbe' driver are the best option for Suricata, and all my other
> > installations are relying on Intel cards.
> >
> > Does anyone has any experience with Suricata on UCS platform with vic1340,
> > and how well does this combination work? If this is something that is not
> > recommended, I'd go with Intel nework card and 'ixgbe'.
>
> ...additional question -- if one runs Vmware on top of ucs as people
> normally do, can Suricata deliver adequate performance if running as a
> virtual machine? How efficiently is packet capture implemented through
> virtual network cards and what is the max rate of traffic I could reliably
> capture? Any experience and results from the field are appreciated :) Kind
> regards,
> risto
>
> > Kind regards,
> > risto
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona:
> > http://oisfevents.net
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
More information about the Oisf-users
mailing list