Configuring Suricata for High-Performance Network Monitoring

Hey guys…

I am relatively new to Suricata and have been finding its capabilities for network intrusion detection and prevention. I am setting it up in an environment with a high traffic volume (~10 Gbps) and was wondering if anyone could share tips or best practices for optimizing Suricata’s performance in such scenarios.

Specifically, I am looking for guidance on:

  1. Configuring multi-threading effectively.
  2. Tuning memory and buffer settings for better throughput.
  3. Best hardware setups for maximizing performance (e.g., NIC recommendations).
  4. Avoiding common pitfalls in high-performance deployments.

I check this: https://forum.suricata.io/t/can-suricata-read-traffic-from-a-log-server-perform-analysis-without-an-network-interface-to-monitjiracertification But I have not found any solution. Could anyone guide me about this? I am currently using Suricata 7.0 on a Linux server with dual Xeon processors and 64GB of RAM. Any advice, resources, or real-world experiences would be greatly appreciated!

Thanks in advance!

Respected community member! :blush:

@pevma and @Andreas_Herz have just presented the 3rd installment of the Suricata Extreme Performance Guide: https://www.youtube.com/watch?v=132mNltgiH0

Their presentation builds upon the previous SEPTun guides (Part 1 and 2) and presents hardware details and such.

10Gbps is easily within reach.