running Suricata/Snort on a SG-1100 not a good idea ?

informel

I am ugrading my internet speed to 200/30 mbps and want to change my router.
This is for home usage.
my son is running a game server (few user so far), but the rest is normal stuff, no VPN or other special things.
I wanted to buy an SG-1100 and run Suricata or Snort on it, but it looks like the unit may not be strong enough for that.

Is it better to have the router to go to an external server (intel base) that has more power or is the SG-1100 good enough for that?

akuma1x

I don't have one myself, but I'm pretty sure the SG-1100 is plenty powerful for Snort or Suricata.

https://www.netgate.com/blog/netgates-new-sg-1100-punches-way-above-its-weight.html

Also, here's some feedback on running IDS/IPS on/for home internet connections:

https://www.reddit.com/r/PFSENSE/comments/5fjexm/is_snort_needed_for_a_home_connection/

https://www.reddit.com/r/PFSENSE/comments/6i88dd/is_snort_overkill/

https://www.reddit.com/r/OPNsenseFirewall/comments/ach76v/intrusion_detectionblocking_suricata_is_it_really/

Jeff

informel

thanks for the information,
IT's just that I saw someone using Suricata on something more powerfull than SG-1100 with 4 GB of RAM and the CPU was really busy.

If I don't turn everything on (not require for home use), it should be OK

bmeeks

It will work if you are stingy with the number of rules you enable. The SG-1100 has only 1 GB of RAM, and that can quickly get consumed by Suricata (or Snort) rules.

See this thread for an example where the user had too many rules enabled and is running out of RAM during rules updates where Suricata (or Snort) will temporarily keep two complete copies of the rules in RAM.

https://forum.netgate.com/topic/145192/snort-running-on-sg-1100-randomly-stops-working. While his issue was with Snort, Suricata is susceptible to the exact same issue if you enable too many rules.

informel

Thanks for the info.
Memory is so cheap these days, I do not understand why this thing as only 1 GB

costanzo

@informel I purchased a SG-1100 for my house and highly recommend it. I am running the following with no problem:

pfBlockerNG devel (This is awesome - no more ads!)
Snort (running only on the WAN)
Acme (For let's encrypt)
Avahi (so I can use AirPlay and AirPrint)
OpenVPN
7 VLANs
DNS Resolver (on by default)

My ISP is through Comcast and I have a 100/20 connection.

As far as performance, I have seen no loss of speed. For example, I run a xfinity speed test and I get the speed I am paying for. OpenVPN from my iPhone works with no disconnects. Sometimes I forget to turn it off only to find it still running.

I did run in to some issues with the Snort service stopping during updates, but after following suggestion from bmeeks to use the "connectivity" IPS profile I haven't had this issue since. I think Snort is a very resource needy service.

Again, for a small environment like a home, in my opinion, is an excellent choice. I work in IT and this is what I run at home.

informel

Thanks for the info, you convinced me

guitarchitect

@costanzo said in running Suricata/Snort on a SG-1100 not a good idea ?:

@informel I purchased a SG-1100 for my house and highly recommend it. I am running the following with no problem:

pfBlockerNG devel (This is awesome - no more ads!)
Snort (running only on the WAN)
Acme (For let's encrypt)
Avahi (so I can use AirPlay and AirPrint)
OpenVPN
7 VLANs
DNS Resolver (on by default)

My ISP is through Comcast and I have a 100/20 connection.

As far as performance, I have seen no loss of speed. For example, I run a xfinity speed test and I get the speed I am paying for. OpenVPN from my iPhone works with no disconnects. Sometimes I forget to turn it off only to find it still running.

I did run in to some issues with the Snort service stopping during updates, but after following suggestion from bmeeks to use the "connectivity" IPS profile I haven't had this issue since. I think Snort is a very resource needy service.

Again, for a small environment like a home, in my opinion, is an excellent choice. I work in IT and this is what I run at home.

Hopefully this isn't so old that you don't see this, but I'm wondering what you mean when you say you are running Snort on WAN only? I'm reading that the 1100 can be under-powered for IDS but as it's my house I don't think I need really crazy rules in place, I just want to know if/when something happens. i can only really afford the SG1100 right now and it would be great to hear your thoughts on this (and how it's going, a year later)