3.0Sizing and Tuning Recommendations
3.1Sizing Guidelines
Any
•Single vs
•Number of CPUs
•Memory
•Disk Capacity
Note: These sizing guidelines apply to servers running the HIDS agent sensor and not the HIDS System Manager (GUI).
3.1.1 Single vs. Multi-Processor
The component of HIDS that executes the intrusion detection logic is
•More processors allows more applications to produce event loads that need to be consumed by the HIDS agent. The impact of the HIDS agent depends on the system call activity of the applications producing the load and therefore is highly server load specific.
•The benefit of more processors diminishes when the number of processors exceeds the total number of HIDS agent threads that process event loads. The total number of these HIDS threads is (T + 2), where T is the number of detection templates running and has a maximum value of 10 if HIDS is running only one instance of each template type.
3.1.2 Number of CPUs
For the majority of deployments, the performance bottleneck for HIDS will typically occur at CPU, primarily from the idscor process. The idscor process is
The CPU consumption by the HIDS processes is charted against the rate of system call audit records (events) in Appendix A.
3.1.3 Memory
As the sustained event load on the server is increased, a greater amount of resident memory may be consumed, especially by the idscor process that dynamically allocates heap memory to store and process events. On systems with a low amount of memory, or with memory contention with other applications, virtual memory/disk I/O (i.e., process swapping) can affect the performance in these circumstances. An additional 40 to 60 MB of memory is recommended for all of the HIDS agent’s processes.
HP Company Internal | Page 6 of 20 |