Sizing hardware for MISP deployment usually comes early in the project, without much view of what kind of sizing may be useful nor what kind of usage volumes will be.
serve local pages through local web server: python2 -m SimpleHTTPServer 8000 open http://127.0.0.1:8000/
Basic information on MISP ressource usage
MISP is done to be deployable without consuming 8 GB of RAM when empty. You can run it on a 2GB RAM machine, with limited disk such as 30GB. For sure it can run on less, but then you will be limited later when samples are uploaded for example.
Criterias that have impact on Disk + RAM + CPU + ... (from most impacting to less impacting):
- Count and size of attributes, objects, events, file attachements (most impact on: DISK)
- Correlation of event between each other (most impact on: CPU and Memory)
- Size of file attachments (most impact on: DISK)
- Number of REST API queries per minutes (most impact on: CPU and Memory)
- Number of displayed web page per minutes (most impact on: CPU and Memory)
- Number of users (most impact on: not much if they don't browse, already accounted in the webpage/mn metric)
This is crude estimation based on many varying parameters that may be totally wrong for your usage or your organization. So take these results with cautions.
- If your attributes (alerts fields) are large strings for example, then the required disk size may be MUCH larger.
- If you plan to attach MANY LARGE FILES to each event, same, required disk size will be larger.
- If you have few users that do A LOT of REST API queries, required CPU and Memory will need to be larger. (tip: you might want to consider using zmq pubsub instead of REST API polling queries)
This project was done in the course of a few hours, during the Hackathon + Training of March 2018 at CIRCL / SMILE in Luxembourg. If you have any request (feature, support, ...): create an issue on github. If you want to get in touch with author: --NOSPAM-- phil ..AT.. P1sec ..DOT.. com --THANKS--