Authorative: http://minsvyaz.ru/common/upload/prikaz_16-01-2008_N6.pdf (sorry, the document's in Russian and I can't find any translation, nor skilled enough to do that myself) - I'm not a lawyer, but in my understanding (as I was explained) this decree contains requirements to networks that ISPs must conform to (otherwise they can't get the license and provide services), and it states (in thick legalese) that all subscriber-generated traffic must be mirrored to operational search activities control ("пункт управления ОРМ"), which is usually (but maybe not universally) a black box sitting in a rack.
From what I've heard, SORM-2 hardware is a secured 1U *nix-based server (peer was not sure whenever it was BSD or GNU/Linux variant), running some kind of sniffer (probably pcap-based) software with some FSB's in-house tools. They are supposed to be dormant for the most of time, but nobody except FSB knows what they're actually doing (and they don't have to report when they're doing a lawful intercetion).
Non-authorative reference: http://en.wikipedia.org/wiki/SORM#SORM-2
From what I've heard, SORM-2 hardware is a secured 1U *nix-based server (peer was not sure whenever it was BSD or GNU/Linux variant), running some kind of sniffer (probably pcap-based) software with some FSB's in-house tools. They are supposed to be dormant for the most of time, but nobody except FSB knows what they're actually doing (and they don't have to report when they're doing a lawful intercetion).