NIDS capacity planning formula and feedback

[Martin Holste <mcholste () gmail com>]

I just put up a blog post on capacity planning for both Snort and
Suricata (http://ossectools.blogspot.com/2011/04/network-intrusion-detection-systems.html)
in which I propose the following formula for sizing a sensor on a
web-client-rich network such as most offices and businesses (as
opposed to server-rich data centers).  From the post:
"1 CPU = (1000 signatures ) * (500 megabits network traffic)
That is, you need one CPU for every thousand signatures inspecting 500
Megabits of network traffic. So if your rule set has 4000 signatures
and your Internet gateway has 300 Megabits of network traffic, you
will need at least ((4000/1000) = 4) * ((300/500) = .6) = 2.4 CPU's,
meaning you'll need to spread the traffic across three CPU's."

I detail the reasons behind the formula in the post, but I'm
interested in feedback from these lists as to:
A. The above formula
B. Methods used for validation
C. Server-oriented sensor numbers
D. Other performance considerations (measurable effect of output types, etc.)

Thanks,

Martin

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users