My organization wants to implement Suricata as an IDS, but I don’t know how.
It would be very helpful if you can tell me all the requirements I need (How many instances, Hardware requirements, sensor management system solutions … )
Thanks in advance.
It is highly dependant on you network, physical or virtual, number of branches…etc
to keep things simple, you will need the following to start with:-
- a way to mirror the traffic from your network to Suricata servers, you can start with a port mirror on your main switch and later move to other options (eg: physical taps + taps aggregation).
- a single Suricata server, HW requirements varies depending on traffic in the network, a single-socket intel server with 18 core, 128GB of RAM & SSD drives can be a good start, this server should be able to handle ~10Gbps when tuned.
- you will need a UI to view and analyze alerts, and ELK stack can be a good starting point, or you can forward the alerts to your SIEM if you have one.
as for sensors management solutions, I will recommend my own , as it is totally free for a single Suricata host, but then there are other alternatives you can search for.