Fair enough on parts you already had.
Firstly, as a random who has never been there, what is wrong with your national online stores in Sri Lanka? Barclays, PCnet, Tera ect… Sure the range may not be cutting edge, but I can find most parts somewhere, and you don’t need to get stuff on the bleeding edge for this type of application.
I ask because not only is shipping expensive, but B&H are really a camera and film industry store, they list lots more things, but non-core market listings are pretty high price and often not in stock. For example they don’t list any SOC boards beyond the old AMD thin clients, or any LGA1151, 1150 or 1155 low power xeons. If B&H really is your only choice they do have one broadwell low power xeon (35w 8 threaded complete with ALL extensions), but its in a miniserver barebones. The small size is nice, and it gives you 6 RJ45 gigabit Ethernet ports, 2x SFP+ and a single slot half height PCIe, but the 3x 40mm fans are louder than a single 120mm would be.
You can find that xeon miniserver here:
https://www.bhphotovideo.com/c/product/1302805-REG/supermicro_sys_e300_8d_e300_8d_superserver_black.html
Before I list any other actual recommendations though, a note that Suricata only used to be super system intensive and not well threadable back before 2012 (and then only 4x more than Snope), so for an example to run home how overkill your idea is these days; The E5-2680 0 @ 2.70GHz, an 8 core hyperthreaded xeon, was demonstrated to l push 10 gigabits through Suricata in 2012, you need 1% of that traffic, yet due to processors improving in the last 5 years and the higher clockspeed of consumer parts your i7 7700k is almost the same raw work potential… scaling is not perfect but your on the order of 100x more CPU than it needs to be at minimum, and >5x as big as I’d buy.
That said unless you already have the i7 and not another use for it, I’d recommend just keeping using it, you won’t save enough power with anything that you can put in that socket to make it worth the swap. I say that because even though its a 88w part vs a 16w-35w, those are the peak operating numbers, and at idle or low loads it’ll be much more even as the i7 won’t push to its max clockspeed and thus will run at less voltage (in fact you could even underclock\undervolt in the bios if you feel like it… 3.0 ghz would be heaps for your needs and allow considerably lower voltage). Underclocking could maybe have the TDP of your i7, so ~44w to 35w, which is not so bad.
If you don’t already own you CPU or Mobo the most import question is how fast is your actual max linespeed. Since if your on a nominally 100 megabit line even if only get an average of 40 megabit, it still can on a second or so level arrive as a short burst at up to the 100 megabit rate, so the systems needs should be specified to that. Also the rough rule of thumb is you get about 200Mbps per modern Suricata and bro worker, so two modern cores at regular enterprise type frequencies (3.0-3.5ghz) would handle your traffic with a max of 50% load. Thus don’t shy away from a lower wattage xeon, it’ll get the job done.
16gb ram is perfect for your needs Suricata wise, you’d probably get away with 8gb but no reason to push it. I fully support going for 2 non-fancy DIMMs from a good company so you can upgrade RAM in future. Motherboard wise you have no special needs… so the most basic server board with duel gigabit NICs will do, and normally basic is good for reliability, power use and your wallet, especially vs a gaming mobo. I also recommend going mITX and getting a cheap tiny case that can go on a shelf with your switch and modem, you don’t need the space (no expansion cards) nor want to be running high wattages or many fans.
A 4 core atom SOC board would be perfect for your needs, >25% of the i7’s performance, 4 threads, duel NIC’s and 4 ram slots on a 16w passively cooled mITX form factor, and yes, something new like the C3558 has the AES-NI on chip (and all the virt extensions). A weird but cool feature they have is the ability to run off 12v DC only OR a normal 24 pin ATX connector, so you can avoid stepping up to mains power from your UPS to run an ATX PSU to turn it back to 12v DC… which can save money, space and power. If you need more threads, there is the 25w 8 core, but beyond that the 35w xeons make more sense.
Link to atom SOCs: http://www.supermicro.com/products/motherboard/atom/
If your doing full packed capture you’ll need big amounts of storage though, as in twice your highest average actual line traffic rate over the time you want to keep logs multiplied by the number of seconds the log is for. In other words if you pull full 100mbps all day and want 48hrs logged you’ll need a terrabyte. A week will fit on a 4tb drive, and I’d consider something basic like raid1 if this is actually critical to you (no real need for ZFS or anything though).
Finally you NEED a good UPS. Lots of these features hate unexpected power offs and will give buggy performance on a partical brown out untill next propally power cycled. It only needs to last long enough to shut the machine down (from full load and once the batteries are at your nominal end of life), but it needs to be present and work.