Snort - Best Search Method for Core 2 Duo, 4GB RAM. ET Open rules ?
-
Hello.
I noticed that my CPU was hitting 77 degrees C with my 100Mbps connection saturated.
I am running PFblockerNG (just DNSBL Easylist, no IP lists) and Snort (free VRT, Community and ET Open on just the LAN)
When I disabled Snort, my CPU temps and load DRASTICALLY dropped. Btw I had nearly every ET Open rule selected.
CPU: Core 2 Duo 3Ghz
RAM: 4 GB
Storage: Sandisk 64GB SSDWhat Search Method is ideal for this setup ? Default is AC-BNFA. I notice that my system is only using 1.8GB out of the 4GB available.
Is one of the search methods easier on the CPU but better utlilizes the 4GB ?
Also, what about ET Open rules ? For VRT, I have IPS Policy Selection set to "Balanced"
There is no Policy for ET Open rules. Which ones are recommended for home / home office use ? I am NOT running any servers btw.
-
Try AC-BNFA-NQ
-
@THS:
Hello.
I noticed that my CPU was hitting 77 degrees C with my 100Mbps connection saturated.
What Search Method is ideal for this setup ? Default is AC-BNFA. I notice that my system is only using 1.8GB out of the 4GB available.
Is one of the search methods easier on the CPU but better utlilizes the 4GB ?
Also, what about ET Open rules ? For VRT, I have IPS Policy Selection set to "Balanced"
There is no Policy for ET Open rules. Which ones are recommended for home / home office use ? I am NOT running any servers btw.
I have a similar set-up to your system running snort and its using less than 1GB!
Try AC-BNFA-NQ for search method.
Personally I do not tick/use IPS Policy, I pick the rules manually (untick that option to pick rules manually). I also use Snort GPLv2 Community Rules (VRT certified)
If you choose to pick the rules manually I recommend starting with the following rules below, test them for false positives and suppress the false positives there will be quite a few when your just starting to use snort. Add new rules as you go along test and suppress. Good luck!
Start with these:
emerging-malware.rules, emerging-trojan.rules, emerging-worm.rules, emerging-ciarmy.rules, emerging-current_events.rules, emerging-dshield.rules, emerging-compromised.rules, emerging-scan.rules, emerging-info.rules, emerging-exploit.rules, emerging-mobile_malware.rules, emerging-misc.rules.