Hello suricata comunnity.
I am planning to implement Suricata on Ubuntu 22.04 to monitor the network in a university environment, starting on a single server initially. What hardware specifications (CPU, RAM, NIC, storage) would you recommend for this initial server, which will handle heavy traffic from students and staff? Additionally, I would appreciate recommendations for scaling this setup across the entire university network in the future.
Any advice on starting with a single server and later expanding to a decentralized, multi-server setup would be very helpful.
Hi, thanks for participating in our community
Yesterday, @pevma and @Andreas_Herz presented the 3rd addition of the SEPtun (Suricata extreme performance tuning guide) at Suricon 2024. It will be available over the next few weeks. There are plenty of helpful tips for maximizing efficiency in their work.
The basic advice is getting as many cores at a high clock speed, “enough” memory, and a good nic.
I know this is very general – here’s some more specifics
- Core count: dedicated cores for suricata packet processing. Around 500-1000Mbps per Suricata worker (results vary).
- Memory: suggest 48GB - 192GB+
- Disk: Suricata generates logs; if you’re logging to a drive, choose NVME or commercial-grade SSDs
- NIC: Intel and Mellanox are good choices (see the SEPTun guide when it becomes available).