[Oisf-users] Monitoring 100Gb network

[Cooper F. Nelson]

Really depends on the traffic profile.

If you have primarily 'elephant' flows (i.e. 'big and fat' 100-1000+
mbit flows), then you can probably get away with a fairly modest server
and leverage suricata's flow pruning feature.

If it's more like typical ISP traffic (lots o' little flows), you will
need more cores.

Peter Manev and Michal Purzynski have a performance tuning guide for
20gb+ deployments you may find interesting:

> https://github.com/pevma/SEPTun

-Coop

On 5/30/2017 8:27 AM, Charles Devoe wrote:
> We are currently looking to monitor a 100Gb network.  Does anyone
> have any recommendations for the server needed to do this?
> 
> We are looking at a server with
> 
> Intel Xeon E5-2697v4 2.3Ghz, 18C/36T 128 GB Memory Mellanox 100 Gbe
> dual port card 2 –ea 300 GB hard configured as RAID 1
> 
> 
> Has anyone out there monitored a connection of this size?
> 
> This message and attachments may contain confidential information. If
> it appears that this message was sent to you by mistake, any
> retention, dissemination, distribution or copying of this message and
> attachments is strictly prohibited. Please notify the sender
> immediately and permanently delete the message and any attachments.
> 
> . . .
> 
> 
> 
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 


-- 
Cooper Nelson
IT Security - Information Technology Services
University of California San Diego
(858) 534-6487 - cnelson at ucsd.edu
https://cybersecurity.ucsd.edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170530/5292963c/attachment-0002.sig>