[Snort-users] NIDS capacity planning formula and feedback

Martin Holste mcholste at ...11827...
Tue Apr 12 11:54:16 EDT 2011

I just put up a blog post on capacity planning for both Snort and
Suricata (http://ossectools.blogspot.com/2011/04/network-intrusion-detection-systems.html)
in which I propose the following formula for sizing a sensor on a
web-client-rich network such as most offices and businesses (as
opposed to server-rich data centers).  From the post:
"1 CPU = (1000 signatures ) * (500 megabits network traffic)
That is, you need one CPU for every thousand signatures inspecting 500
Megabits of network traffic. So if your rule set has 4000 signatures
and your Internet gateway has 300 Megabits of network traffic, you
will need at least ((4000/1000) = 4) * ((300/500) = .6) = 2.4 CPU's,
meaning you'll need to spread the traffic across three CPU's."

I detail the reasons behind the formula in the post, but I'm
interested in feedback from these lists as to:
A. The above formula
B. Methods used for validation
C. Server-oriented sensor numbers
D. Other performance considerations (measurable effect of output types, etc.)



More information about the Snort-users mailing list