Suircata Throughput
-
Hello Everyone,
I am looking for users for guidance who have actually achieved 1 Gbps throughput when Suricata is actively running.
I would like to know the hardware specifications for your builds to achieve this?
Currently I have a system with the following specifications:
- Intel Atom C3758 with 8 cores, 8 threads and 16 MB Cache, CPU at 2.2 GHz.
- Up to 128 GB (RAM) ECC DDR4
- mSATA SSD 64 GB
- Intel I210-AT Gigabit Ethernet Controller
Are those specs good enough to achieve 1 Gbps throughput?
Please let me know.
Thank you.
-
With a moderate amount of rules and hyperscan activated you should come close to 900ish in totalt throughput with multiple sessions.
-
Like user @ekke mentioned, if you are sensible about the rules you enable then you can achieve your target throughput. If you enable every rule category, then "no", you won't achieve your target throughput. By "sensible" I mean things like not enabling rules that inspect for issues that will not be a threat to your environment. For example, if you do not have Internet-facing and public DNS and mail servers, then there is no need to run any rules that scan for threats targeting mail or DNS servers. If you do not have Internet-facing and public web servers, then you don't need any web server rules. There are other cases, too, where some threats may not be a problem in your network environment.
One thing you will have to do with that many cores is bump up the Stream Memcap parameter. Here is a link to an older thread on the subject: https://forum.netgate.com/topic/124850/suricata-fails-to-start.
