Best Ways to Use Suricata in a High Traffic Network Situation

Hello Suricata Community :slightly_smiling_face:

I am currently in the process of implementing Suricata as an IDS/IPS solution for a hightraffic network environment. Our network handles a substantial amount of data daily & ensuring efficient and effective threat detection is crucial for us; I would greatly appreciate any advice or best practices from those who have experience with Suricata in similar environments.

I want to know about the following topics: You can check this

Which configuration options or improvements are essential to ensuring that Suricata operates effectively under heavy load. In order to strike a compromise between performance & thorough threat coverage, how do you maintain and update your rules. In a network with a lot of traffic, what are the best techniques for recording and examining Suricatas output?

I found the Installing Suricata 6.0.1 with PF_RINGsf-devon CentOS8
Any additional recommendations would be appreciated.

If there are any guides or resources that you recommend it would be appreciate. Your insights and experiences will be invaluable as we work to enhance our network security :smiley:

Thank you :smiley: in advance for your help.


Suricata performance is a broad topic and much of it depends on your

  • Deployment – what type of traffic will it monitor?
  • Machine resources
    • CPU
    • Memory
    • Disk subsystem
    • Network interface card(s)
  • Deployment Mode – inline (IPS) or passive (IDS)
  • Suricata rule set

We’ve prepared information to provide general guidelines – 11. Performance — Suricata 8.0.0-dev documentation. The great @pevma and his colleagues have written and shared the “Suricata Extreme Performance Tuning Guide” (aka SEPTun).