Some hardware confusion

Wonder how much storage and memory suricata will take up if it is installed on a Linux server, and what performance server should we prepare?

This depends on what you want to achieve, what traffic you expect, what logs you enable, what rulesets you use etc.

It can run on a Raspberry Pi 4 for small setups but you can also see setups with dual socket AMD Epyc 256 cores and 512GB RAM and TBs of SSDs.

To build on what @Andreas_Herz stated, you can control resource consumption on the deployment platform. Suricata’s configuration file (usually suricata.yaml) allows you to control how much system resource is used:

  • CPU core count
  • Memory limits (“memcap” values)
  • Amount of non alert information logged
  • Where log file(s) go
  • Alert thresholds

Many deployment scenarios use logrotate or equivalent to manage storage use.