Snort mailing list archives
NIDS capacity planning formula and feedback
From: Martin Holste <mcholste () gmail com>
Date: Tue, 12 Apr 2011 10:54:16 -0500
I just put up a blog post on capacity planning for both Snort and Suricata (http://ossectools.blogspot.com/2011/04/network-intrusion-detection-systems.html) in which I propose the following formula for sizing a sensor on a web-client-rich network such as most offices and businesses (as opposed to server-rich data centers). From the post: "1 CPU = (1000 signatures ) * (500 megabits network traffic) That is, you need one CPU for every thousand signatures inspecting 500 Megabits of network traffic. So if your rule set has 4000 signatures and your Internet gateway has 300 Megabits of network traffic, you will need at least ((4000/1000) = 4) * ((300/500) = .6) = 2.4 CPU's, meaning you'll need to spread the traffic across three CPU's." I detail the reasons behind the formula in the post, but I'm interested in feedback from these lists as to: A. The above formula B. Methods used for validation C. Server-oriented sensor numbers D. Other performance considerations (measurable effect of output types, etc.) Thanks, Martin ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NIDS capacity planning formula and feedback Martin Holste (Apr 12)