Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suircata Throughput

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 3 Posters 434 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      smrehan00
      last edited by

      Hello Everyone,

      I am looking for users for guidance who have actually achieved 1 Gbps throughput when Suricata is actively running.

      I would like to know the hardware specifications for your builds to achieve this?

      Currently I have a system with the following specifications:

      1. Intel Atom C3758 with 8 cores, 8 threads and 16 MB Cache, CPU at 2.2 GHz.
      2. Up to 128 GB (RAM) ECC DDR4
      3. mSATA SSD 64 GB
      4. Intel I210-AT Gigabit Ethernet Controller

      Are those specs good enough to achieve 1 Gbps throughput?

      Please let me know.

      Thank you.

      1 Reply Last reply Reply Quote 0
      • E
        ekke
        last edited by

        With a moderate amount of rules and hyperscan activated you should come close to 900ish in totalt throughput with multiple sessions.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by bmeeks

          Like user @ekke mentioned, if you are sensible about the rules you enable then you can achieve your target throughput. If you enable every rule category, then "no", you won't achieve your target throughput. By "sensible" I mean things like not enabling rules that inspect for issues that will not be a threat to your environment. For example, if you do not have Internet-facing and public DNS and mail servers, then there is no need to run any rules that scan for threats targeting mail or DNS servers. If you do not have Internet-facing and public web servers, then you don't need any web server rules. There are other cases, too, where some threats may not be a problem in your network environment.

          One thing you will have to do with that many cores is bump up the Stream Memcap parameter. Here is a link to an older thread on the subject: https://forum.netgate.com/topic/124850/suricata-fails-to-start.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.