misp-book/requirements/README.md

1.1 KiB

MISP Instance requirements

Intro

There are various ways you can run a MISP instance.

  • Virtualized with docker/ansible/packer etc
  • VMware/Virtualbox/Xen etc
  • Dedicated hardware
  • Road warrior setups
  • Air-gapped setups

Whilst there is never an ultimate answer to what specifications a system needs, we try to give an approximate answer depending on your use case.

The biggie

Having millions of events with millions of attributes (indicators) will eventually result in sub-par performance. Ideally you have millions of attributes and thousands of events. But this also depends on how you ingest the data. With millions of attributes a bottleneck could be the correlation engine. Especially if you have many duplicates in your events. (Use the feed matrix to see if feeds are massively overlapping)

Tool assisted sizing

During a hackathon misp-sizer was conceived. (code) This can give you a very rough estimate and needs some more improvements.