Return to Level1Techs.com

Suricata CPU rule of thumb?

#1

Hello everyone,

I recently tried out suricata on my HP T620 Plus thin client.

I was amazed by how CPU hungry this piece of software is. My Down/Up speeds took a hit from 200/200 to 50/50 (granted it is through a VPN).

I suppose I don’t really have a need to run suricata on a home connection but I started wondering. Is there a rule of thumb or any documentation about suricata CPU vs throughput? Does it scale better with cores or frequency? What about dual sockets and NUMA nodes?

I started thinking about repurposing my old 4770K with 16GB of RAM as a firewall but then my ISP rolled out some new 400/400, 600/600 and even 1G/1G (for crazy money) and started wondering what kind of hardware would I need for suricata on the faster plans?

Edit: Forgot to mention, I was using the suricata rules Lawrence Systems used on their video.

0 Likes

#2

I’m not sure about what CPU to suggest, but if you don’t run it inline then it won’t impact your bandwidth. Instead surricata will run on a copy of the data and not the actual data, so there will be a negligible delay between when a packet arrives and when it is blocked (which exists even in inline mode) but functionally it will do the same job without tanking your performance.

1 Like

#3

Suricata was created to be effectively a multi threaded Snort and will scale continuously with increased core count. Throwing more cores at it is the best way to gain performance.

0 Likes

#4

I’m not gunna lie I’m just going to ask

What

1 Like

#5

I’ve looked into suricata out of curiosity before, never bothered actually setting it up myself. Suricata claims to support hyperscan (which is this freakishly optimized nfa multi regex matcher written by Intel that I’ve tried using in a different project, and it’s amazing).

I’m surprised you’re hitting a wall at 50mbps, you’ve tried tuning things? Checking if your drivers are good, etc (regular firewall at gigabit speeds should keep your cpu mostly idle)

0 Likes

#6

Everything seems to be fine. I am running a VPN for some clients and I do have a number of interfaces so that might have something to do with it. Also, the AMD APU in the T620 is not the most powerful chip.

0 Likes