Snort question To Snort, or not to Snort
-
Hello all, after reading the forums for hours, and not finding what I was looking for I decided to ask the forum for help.
I am trying to determine if there are any major issues with running snort on my platform/environment
Hardware: Jetway NC9E-525 Mini-ITX Motherboard, Intel Atom D525, 5 Gig ports, 4GB RAM, SSD (SanDisk X110 64GB),
Software: PF-Embedded-4GB-VGA on a SSD, /var & /tmp RAM Disks are both 300MB each, RRD backup every 12 hours, DHCP lease backup never.
Interfaces: WAN, LAN, OPT1, na, na
VPN: Less that 12 Openvpn clientsFrom what I have configured so far I should not be killing my SSD (embedded with RAM disks, and limited backups)
I understand that Snort would add use more RAM, and that's fine as I am only using 10% of 4GB currently.
Has anyone ran snort on NANO 4GB edition and had any major issues? I would really like to use this package. Thanks in advanced for anyone's comments.
Ash,
-
Hello all, after reading the forums for hours, and not finding what I was looking for I decided to ask the forum for help.
I am trying to determine if there are any major issues with running snort on my platform/environment
Hardware: Jetway NC9E-525 Mini-ITX Motherboard, Intel Atom D525, 5 Gig ports, 4GB RAM, SSD (SanDisk X110 64GB),
Software: PF-Embedded-4GB-VGA on a SSD, /var & /tmp RAM Disks are both 300MB each, RRD backup every 12 hours, DHCP lease backup never.
Interfaces: WAN, LAN, OPT1, na, na
VPN: Less that 12 Openvpn clientsFrom what I have configured so far I should not be killing my SSD (embedded with RAM disks, and limited backups)
I understand that Snort would add use more RAM, and that's fine as I am only using 10% of 4GB currently.
Has anyone ran snort on NANO 4GB edition and had any major issues? I would really like to use this package. Thanks in advanced for anyone's comments.
Ash,
It should work OK, but with the /var partition as a RAM disk some files Snort uses will not be persisted and it may error out on a reboot. In particular the IP REP preprocessor blacklist and whitelist files live in /var/db/snort/iprep.
Bill
-
Yikes, while I would love this package, I do not want it to fail on reboot. Maybe later Nano-PF will get some extra Packages love :)
Bill - Thanks for replying so quickly. Keep up the great work as well!Ash,
-
It should only be a problem if you enable IP reputation lists in Snort. Not really a big deal. The Snort.org rules don't include any lists as far as I can tell and the OpenET rules include one list, but you can also load that up on pfBlocker instead.
-
fragged is correct. This only impacts the IP REPUTATION preprocessor. It is disabled by default. I was just pointing it out as one area that can fail with RAM disks. The downloaded rules tar balls and the individual interface rules are stored on the /usr partition.
There once was a bug where Snort did not put the /usr partition in read/write mode when trying to update some files, but I think I have all of those fixed now. Report back if you notice any errors in the system log about attempting to write to a read-only partition.
Bill