Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Managing resources with Snort…max # interfaces...max rules? Snort 201

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 403 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Velcro
      last edited by

      I am trying to manage my firewall resources (Memory, CPU and SWAP usage?). I'd like to run Snort on most of my VLANs and external interfaces to provide multiple layers of protection.

      My current config and dashboards readings are as follows:
      CPU usage = 54%
      Memory usage = 90%
      SWAP usage = 59%
      I have Snort enabled on WAN, my VPN(PIA), and my critical/high security VLAN1 and VLAN2(IOT devices)

      Rules enabled:
      I have enabled VRT rules, GPLv2 rules, Enable ET Open
      OpenAppID rules are not enabled. I am not trying to limit apps in my small network…Wife needs her Facebook, Instagram, Skype, etc...

      Rule settings:
      VRT IPS Policy Selection: WAN&VPN set to "Security", VLAN1 set to "Security" & VLAN2 set to "Connectivity"
      GPLv2: Enabled for all
      ET Open Rules:  All enabled for all interfaces

      I have a few other VLANs I want to protect and I get the sense a lot of the rules I have enabled are not providing value as I do not host email, no website, no open ports, not a business environment. It feels like I have max'ed my limited resources.

      My goals:
      Max security...picture a targeted attack!
      Won't be able to stop my wife from clicking on every link on facebook, instagram or pintrest. Nor can I block those apps :-*

      Any thoughts on rules to enable? Rules to disable? Other settings?

      Thank you for any direction or opinions...

      V

      1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense
        last edited by

        Should have told us what hardware you got. Also, I think maximum security takes a while to achieve in the sense that it's a continuous learning process. It also seems that you need more RAM. I am running PFSense 2.4.2 on an HP Pavilion a6242n with the following packages: Snort, Suricata, Iperf, Ntopng, PFBlockingNS, Squid with antivirus…here's my performance below.

        ![Screen Shot 2017-12-08 at 9.13.28 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-12-08 at 9.13.28 PM.png_thumb)
        ![Screen Shot 2017-12-08 at 9.13.28 PM.png](/public/imported_attachments/1/Screen Shot 2017-12-08 at 9.13.28 PM.png)

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • V
          Velcro
          last edited by

          I have a SG2440, pfSense 2.4.2…4g of RAM...now I am up to 92% of RAM usage. CPU seems fine...thanks for sharing what you are running seems like you run a lot and a rock solid configuration. I googled your HP Pavilion a6242n...you are running that with 3G of RAM? I have to assume you added more...

          I am running pfBlocker and Snort...but it looks like Snort is taking up most of the resources.

          I have a lot of rule running but struggled to find rules that are more for management and rules for threats...I understand there is some overlap but are there rules I just don't need for my use?

          Looking at your setup...I like the sound of Squid antivirus but struggled with just setting up the antivirus part, is this possible?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.