[Snort-users] Quick sizing question

Lee Brown leeb at ...17725...
Sat Jan 7 13:38:32 EST 2017


Hi,

We are about to install gigabit internet and I need to employ Snort as an
IPS for p2p traffic only.  From what I read here
<http://ossectools.blogspot.com/2011/04/network-intrusion-detection-systems.html>,
it would seem a single core should be sufficient?

1 CPU = (1000 signatures ) * (500 megabits network traffic)

I expect to have 100 signatures and 1000 megabits, so:
(100/1000) * (1000/500) = 0.2 CPU's

Does this look about right to anybody?  I have no problem buying new
hardware for an IPS, but this looks like I could use some legacy hardware
to drive it, assuming a multi-core server (I have in mind a 2009 Xeon
2.8GHz, not sure if the bus is sufficient though).

Thanks -- lee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170107/f3887e37/attachment.html>


More information about the Snort-users mailing list