Hi
I want to know that how much traffic a single /thread suricata can handle without using any extra filter and dropping any traffic.
Unfortunately there is no short answer, because that will depend on the following (at least):
- CPU frequency.
- number of enabled rules.
- type of enabled rules.
- traffic profile/type.
- turning option (core isolation, core pinning, bypass settings…etc)
All of the above & more can easily increase (or decrease) the throughput of a single/multiple suricata threads significantly.
What we know is that suricata can do 20+ Gbps on tuned COTS servers with all ET open rules enabled.
But then, it all depends.
1 Like
The factors that @IDSTower are important to consider and a soft answer of “it depends” is the most reliable guidance.
In my observations, a well-tuned Suricata deployment shows a single Suricata worker thread capable of 500Mbps - 1Gbps without packet loss.