Faq into Snort modes

Snailer · May 31, 2007, 12:15 PM

I like to know more about the concepts or differences about the various Snort modes; ie lowmem and ac-sparsebands. *
And how it affects Snort. Who can give me some pointers please about this topic.
2nd: Is it a good idea that a faq or sticky-topic about this topic in relation with pfsense is being added to the documentation forum section?

I have just upgraded pfsense's system ram to 512mb. (max'd out).

bellera · Jun 1, 2007, 8:01 AM

Hello!

snort is a very complex tool. You should go to its official manual:

http://www.snort.org/docs/snort_htmanuals/htmanual_261/node32.html

ac Aho-Corasick Full (high memory, best performance)
ac-std Aho-Corasick Standard (moderate memory, high performance)
ac-bnfa Aho-Corasick NFA (low memory, high performance)
acs Aho-Corasick Sparse (small memory, moderate performance)
ac-banded Aho-Corasick Banded (small memory, moderate performance)
ac-sparsebands Aho-Corasick Sparse-Banded (small memory, high performance)
lowmem Low Memory Keyword Trie (small memory, low performance)

Some rules can cause snort not to start if you are using lowmem. I'm running standard+community+bleeding+local rules on a snort box (external to pfSense) and I have:

config detection: search-method ac-bnfa

pfSense snort configurator uses only standard+local rules and I think it works with lowmem algorim.

Regards,

Josep Pujadas

teck9 · Jun 3, 2007, 4:45 AM

i dont see ac-bnfa in pfsense ???

bellera · Jun 3, 2007, 5:42 PM

Hello!

If you want to modify some configuration parameters for your pfSense and the possible values are not listed in the web configurator, you can follow these steps (at your own risk):

1. Go to [Diagnostics][Backup/Restore] and download the ALL configuration to your PC. Be careful! The XML file has sensible information about your LANs & WANs. Save it in a VERY secure folder!

2. Copy your XML file with another name and edit it.

3. For snort performance search the <snort>tag. Some lines after you have:

<performance>lowmem</performance>

4. Change lowmem for your desired value.

5. Save changes.

6. Go a new time to [Diagnostics][Backup/Restore] and make ALL restore. Of course, this operation will reboot your firewall !!!

After rebooting, if you want to see if snort is running go to the SSH shell and type:

ps -aux | grep snort

You should see snort process running …

I don't know why the GUI has'nt more options for snort performance. Perhaps is for reduce CPU charge. Be careful with the changes ...

Note: If you edit a new time with GUI your snort settings you will lose your changes made by this method.

Other possible changes using the XML "method":

http://faq.pfsense.com/index.php?action=artikel&cat=10&id=38&artlang=en&highlight=hidden

Regards,

Josep Pujadas</snort>

teck9 · Jun 7, 2007, 9:37 AM

it worked thanks!!

bellera · Jun 7, 2007, 1:02 PM

Ok!