Return to

Suricata CPU rule of thumb?


Hello everyone,

I recently tried out suricata on my HP T620 Plus thin client.

I was amazed by how CPU hungry this piece of software is. My Down/Up speeds took a hit from 200/200 to 50/50 (granted it is through a VPN).

I suppose I don’t really have a need to run suricata on a home connection but I started wondering. Is there a rule of thumb or any documentation about suricata CPU vs throughput? Does it scale better with cores or frequency? What about dual sockets and NUMA nodes?

I started thinking about repurposing my old 4770K with 16GB of RAM as a firewall but then my ISP rolled out some new 400/400, 600/600 and even 1G/1G (for crazy money) and started wondering what kind of hardware would I need for suricata on the faster plans?

Edit: Forgot to mention, I was using the suricata rules Lawrence Systems used on their video.



I’m not sure about what CPU to suggest, but if you don’t run it inline then it won’t impact your bandwidth. Instead surricata will run on a copy of the data and not the actual data, so there will be a negligible delay between when a packet arrives and when it is blocked (which exists even in inline mode) but functionally it will do the same job without tanking your performance.

1 Like