Implementing Suricata in production environment

Hello All,

My organization wants to implement Suricata as an IDS, but I don’t know how.

It would be very helpful if you can tell me all the requirements I need (How many instances, Hardware requirements, sensor management system solutions … )

Thanks in advance.

It is highly dependant on you network, physical or virtual, number of branches…etc
to keep things simple, you will need the following to start with:-

  1. a way to mirror the traffic from your network to Suricata servers, you can start with a port mirror on your main switch and later move to other options (eg: physical taps + taps aggregation).
  2. a single Suricata server, HW requirements varies depending on traffic in the network, a single-socket intel server with 18 core, 128GB of RAM & SSD drives can be a good start, this server should be able to handle ~10Gbps when tuned.
  3. you will need a UI to view and analyze alerts, and ELK stack can be a good starting point, or you can forward the alerts to your SIEM if you have one.

as for sensors management solutions, I will recommend my own :wink: , as it is totally free for a single Suricata host, but then there are other alternatives you can search for.