What Does Snort Require?
Snort is free, which certainly has helped with the decision to deploy an IDS in your organization. It requires little in the way of training, so your training budget for your administrators will not be shot. Certainly there must be some hidden costs involved?
These costs come in the form of hardware resources to deploy Snort, and from the time you invest in learning, installing and maintaining it. Snort is a lightweight IDS, but it does require some minimum of resources to be effective. It does not help to deploy a Snort sensor on such anemic that it drops 30% (or more) of the monitored traffic. As with any piece of software, the more resources you throw at it, the better it responds.
A Pentium-class computer with a 266MHz CPU and at least 96MB of RAM should suffice to monitor a T1 running with all plugins and a full ruleset. The same Snort configuration monitoring a full-duplex 100Mb/s fast Ethernet segment might require a 900MHz computer with 512MB of RAM. Snort, in its current design incarnation, does not scale well past 200300 Mb/s worth of traffic, and thus will not reliably monitor fully saturated gigabit Ethernet segments. The flip side of this limitation is that there are very few, if any, IDS products that will reliably monitor a fully loaded gigabit Ethernet segment without dropping packets.