SG1100 and Snort?

raspier

Relatively new to my SG1100. Got it for my house. Set up Snort and it failed in about 2.5 minutes, consistently. Logs show: pid XXXX (snort), jid 0, uid 0, was killed: failed to reclaim memory
OK - that is pretty clear.

Looked around blogs and videos and posts here... seems minimizing the ruleset would lessen the memory consumption, so

• I deleted Snort,
• rebooted and then
• re-added Snort and
• enabled one interface for Snort.
• I set the IPS Policy to "Connectivity" from Balanced.
• I added ONLY the ET Open Rules as a test (so the long list of Snort Text Rules, Snort SO rules and OPENAPPID rules are all there, but not enabled), and no other packages loaded (except Wireguard but it is not configured or enabled) and Snort now loads for about 4mins before it dies. Same error:
  pid XXXX (snort), jid 0, uid 0, was killed: failed to reclaim memory

Q1) Is there any practical way to use Snort on an SG1100 or is it really not possible with only 1GB ram? And if so,

Q2) can there be a robust implementation of Snort on a 2100 with only 4 GB RAM, and be able to upgrade the rules and therefore host 2 copies of the rules in RAM at the same time while the old rules are removed and the new ones are coming in, along with a Wireguard VPN? Or is some crappy mini PC the way to go?

Thanks

SteveITS

@raspier Do you have any other packages running? You can minimize ZFS ARC but that is supposed to release if the OS needs RAM. How much RAM is in use on your router?

Live-reloading the rules will take more RAM, you could just not do that, and restart Snort.

We've used the similar Suricata for several years, and many of our clients have 2100s. 4 GB RAM is a big step up from 1 GB, to pfSense. I do not know if we've ever installed either on an 1100. We did on 3100s (2 GB RAM).

FWIW by default the Snort config would survive deleting and reinstalling it (which is how the package upgrades) so that step doesn't really help.

JonathanLee

@raspier you have SO rules can you please share a screen shot of that the arm processor does not do so rules they should not even be there.

bmeeks

An SG-1100 is just not enough hardware to run Snort well. Maybe if you only run about 100 rules tops, it would work . Really need 4GB of RAM to run either of the IDS/IPS packages comfortably. You can get them to work in 2GB boxes, but it's dicey - especially if you run any additional packages.

The error you are seeing is the OS going into full panic mode and killing the largest memory consuming process in order to preserve critical operating system processes. In your case, Snort is the biggest consumer of RAM, so it is chosen by the OOM (out-of-memory) Killer subroutine as the process to be nuked so that the system can survive (not crash by running critical processes out of memory).

raspier

Thanks, @SteveITS
The box otherwise seems to run 30-40% RAM consumption. No other packages running - the the OOTB pfSense items. Ya - I am thinking this is the wrong HW because of the 1GB RAM limitation

raspier

@bmeeks Yes - that's what I figured it was doing. At least it was super consistent. :-)

Hmmm.... more shopping!

JonathanLee

@raspier The 2100-MAX runs Snort really well but it wont do SO objects. It does everything else. See Snort SO rules I have a paid subscription with a code and everything but the SO rules never populate do they show up on your 1100?

"Your Netgate 2100-MAX uses an ARM64 CPU (Marvell ARMADA).

Important Limitation:

Snort SO rules are precompiled binary modules. Cisco/Sourcefire only provides precompiled SO rules for x86_64, not ARM.

That means SO rules are not available on the Netgate 2100, 3100, 1100, or any ARM-based device." So how does your show up???