Managing resources with Snort…max # interfaces...max rules? Snort 201

  • I am trying to manage my firewall resources (Memory, CPU and SWAP usage?). I'd like to run Snort on most of my VLANs and external interfaces to provide multiple layers of protection.

    My current config and dashboards readings are as follows:
    CPU usage = 54%
    Memory usage = 90%
    SWAP usage = 59%
    I have Snort enabled on WAN, my VPN(PIA), and my critical/high security VLAN1 and VLAN2(IOT devices)

    Rules enabled:
    I have enabled VRT rules, GPLv2 rules, Enable ET Open
    OpenAppID rules are not enabled. I am not trying to limit apps in my small network…Wife needs her Facebook, Instagram, Skype, etc...

    Rule settings:
    VRT IPS Policy Selection: WAN&VPN set to "Security", VLAN1 set to "Security" & VLAN2 set to "Connectivity"
    GPLv2: Enabled for all
    ET Open Rules:  All enabled for all interfaces

    I have a few other VLANs I want to protect and I get the sense a lot of the rules I have enabled are not providing value as I do not host email, no website, no open ports, not a business environment. It feels like I have max'ed my limited resources.

    My goals:
    Max security...picture a targeted attack!
    Won't be able to stop my wife from clicking on every link on facebook, instagram or pintrest. Nor can I block those apps :-*

    Any thoughts on rules to enable? Rules to disable? Other settings?

    Thank you for any direction or opinions...


  • Should have told us what hardware you got. Also, I think maximum security takes a while to achieve in the sense that it's a continuous learning process. It also seems that you need more RAM. I am running PFSense 2.4.2 on an HP Pavilion a6242n with the following packages: Snort, Suricata, Iperf, Ntopng, PFBlockingNS, Squid with antivirus…here's my performance below.

    ![Screen Shot 2017-12-08 at 9.13.28 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-12-08 at 9.13.28 PM.png_thumb)
    ![Screen Shot 2017-12-08 at 9.13.28 PM.png](/public/imported_attachments/1/Screen Shot 2017-12-08 at 9.13.28 PM.png)

  • I have a SG2440, pfSense 2.4.2…4g of I am up to 92% of RAM usage. CPU seems fine...thanks for sharing what you are running seems like you run a lot and a rock solid configuration. I googled your HP Pavilion are running that with 3G of RAM? I have to assume you added more...

    I am running pfBlocker and Snort...but it looks like Snort is taking up most of the resources.

    I have a lot of rule running but struggled to find rules that are more for management and rules for threats...I understand there is some overlap but are there rules I just don't need for my use?

    Looking at your setup...I like the sound of Squid antivirus but struggled with just setting up the antivirus part, is this possible?

Log in to reply