Last modified: Tue Nov 09 2021 10:02:29 GMT+0100 (Central European Standard Time)
There are various ways you can run a MISP instance.
- Virtualized with docker/ansible/packer etc
- VMware/Virtualbox/Xen etc
- Dedicated hardware
- Road warrior setups
- Air-gapped setups
Whilst there is never an ultimate answer to what specifications a system needs, we try to give an approximate answer depending on your use case.
Having millions of events with millions of attributes (indicators) will eventually result in sub-par performance. Ideally you have millions of attributes and thousands of events. But this also depends on how you ingest the data. With millions of attributes a bottleneck could be the correlation engine. Especially if you have many duplicates in your events. (Use the feed matrix to see if feeds are massively overlapping)