Suricata is an open-source, signature based, intrusion prevention (IPS) and intrusion detection (IDS) system. Like most security and network monitoring applications, Suricata is CPU bound. That is to say, available CPU resources are often not adequate to handle the required application processing load. In Suricata’s case they openly admit this fact in the user guide.
“…having additional CPUs available provides a greater performance boost than having more RAM available. That is, it would be better to spend money on CPUs instead of RAM when configuring a system.” Source: Official Suricata User Guide, release 4.1.0 (page 119)
Sometimes adding more CPUs is the right answer, but there is also an alternative: Adding an FPGA-based hardware adapter/NIC to offload the host CPU from intensive and repetitive tasks.
For more information on ANIC adapter features go here.
Also read our new tech brief on Suricata and Flow Shunting below.