Return to Level1Techs.com

Suricata CPU rule of thumb?

#1

Hello everyone,

I recently tried out suricata on my HP T620 Plus thin client.

I was amazed by how CPU hungry this piece of software is. My Down/Up speeds took a hit from 200/200 to 50/50 (granted it is through a VPN).

I suppose I don’t really have a need to run suricata on a home connection but I started wondering. Is there a rule of thumb or any documentation about suricata CPU vs throughput? Does it scale better with cores or frequency? What about dual sockets and NUMA nodes?

I started thinking about repurposing my old 4770K with 16GB of RAM as a firewall but then my ISP rolled out some new 400/400, 600/600 and even 1G/1G (for crazy money) and started wondering what kind of hardware would I need for suricata on the faster plans?

Edit: Forgot to mention, I was using the suricata rules Lawrence Systems used on their video.

0 Likes

#2

I’m not sure about what CPU to suggest, but if you don’t run it inline then it won’t impact your bandwidth. Instead surricata will run on a copy of the data and not the actual data, so there will be a negligible delay between when a packet arrives and when it is blocked (which exists even in inline mode) but functionally it will do the same job without tanking your performance.

1 Like