What models of Intel CPUs are best to use with Suricata? Number of processors? Number of cores?
There is no simple answer to that, in theory the best one would be the one with the highest amount of cores and clockrate in a multisocket system. It makes more sense to look for the requirements, starting with the traffic rate, signature amount and find a solid CPU for that usecase.
How about if it was a single socket system purpose-built appliance? I am guessing the answer would still be as many cores as you can get on a single CPU.
But would be the suggested clockrate in any CPU for Suricata, if you had to guess? over 2 G?
Thanks.
This depends on what you want to achieve, a 100Mbit/s traffic rate doesn’t need that much cpu compared to 10Gbit/s or even 100Gbit/s.
This also depends on how many interfaces you want to use. Budget plays a role.
Without a bit more requirements I can recommend anything but wouldn’t make much sense. The diff between a 4-8 Core Intel Atom for smaller setups or a 32 Core XEON Gold is too much to give a general recommendation. Try to narrow down your usecase or usecases if there are more.
Thanks. One ISP connection is 1G/500M. The other ISP connection is 250M/250M. Same appliance. But it was two different instances of Suricata on the same appliance.
They were running an i7 but the larger connection seem to crash the other day. Doing forensics to see if they had a DDoS. Or memory ran out.
But they are telling me that one instance of Suricata is just listening to mirrored LAN traffic. The other instance is inline with the two ISP connections.
I would recommend to debug a bit with the performance analyze we describe here: 9.11. Performance Analysis — Suricata 6.0.3 documentation
Thanks for the guidance. But what we did find was the traffic that seem to overwhelm the network interface pairs in af-packet mode. We saw normal background traffic then all of sudden we saw constant traffic from IP Addresses originating in China and Russia according to Geoip data. The burst of traffic lasted for about 8 minutes then all traffic flow stopped suddenly on those interfaces. During that burst we saw very little outbound traffic on those interfaces. To me it seems like that burst overwhelmed the pair of interfaces like a DDoS attack. This particular Suricata appliance is on the outside of the firewall. It was reported that after the Suricata appliance was powered off, the firewall was taken the blunt of that traffic and was able to handle the load.