[Oisf-users] Recommended Hardware Requirements

[Nelson, Cooper]

This is very much dependent on your traffic profile.  If it’s an internal deployment with lots of 10Gbps LAN traffic you will need more hardware than a border deployment with ISP type traffic.

I would recommend starting with a 16 core, 32 (or more) Gig RAM (depending on your stream depth) system for 10Gbs and measure your system load and packet drops.

Ideally you want your NIC/cores/RAM/ring-buffer under 50% utilization per sensor, to keep packet drops around .1% or less.   If you see more than .1% packet drops, add another sensor and keep doubling the ring-size until you get the performance you want.   I’ve used up to a million packets for the ring-size with no problems on my AMD Piledriver system; however on Intel deployments a smaller ring-size might be preferable.

I think there are a lot of benefits to standardizing on a modest/affordable build, use a switched load-balancer and deploy multiple sensors.   That way if you have an outage you don’t lose 100% of your visibility and you can easily expand your deployment in a predictable way.  You should be sending all your alerts in json to a SIEM for indexing/alerting.

-Coop

From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of Req Deny
Sent: Thursday, June 27, 2019 10:24 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] Recommended Hardware Requirements

All,

I have been searching around and trying to lock down information on recommended hardware requirements.  I looked through most of the documentation, and sorry if I had missed it.

Looking @ 1Gbps (Single Port Ingest)
Also @ 10Gbps (Single Port Ingest)

Looking for cores/threads/ ram primarily.   Anything else I should be aware of?

Thanks

Req
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190702/8ff8fec4/attachment-0001.html>