Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    running Suricata/Snort on a SG-1100 not a good idea ?

    Scheduled Pinned Locked Moved IDS/IPS
    8 Posts 5 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      informel
      last edited by

      I am ugrading my internet speed to 200/30 mbps and want to change my router.
      This is for home usage.
      my son is running a game server (few user so far), but the rest is normal stuff, no VPN or other special things.
      I wanted to buy an SG-1100 and run Suricata or Snort on it, but it looks like the unit may not be strong enough for that.

      Is it better to have the router to go to an external server (intel base) that has more power or is the SG-1100 good enough for that?

      C 1 Reply Last reply Reply Quote 0
      • A
        akuma1x
        last edited by akuma1x

        I don't have one myself, but I'm pretty sure the SG-1100 is plenty powerful for Snort or Suricata.

        https://www.netgate.com/blog/netgates-new-sg-1100-punches-way-above-its-weight.html

        Also, here's some feedback on running IDS/IPS on/for home internet connections:

        https://www.reddit.com/r/PFSENSE/comments/5fjexm/is_snort_needed_for_a_home_connection/

        https://www.reddit.com/r/PFSENSE/comments/6i88dd/is_snort_overkill/

        https://www.reddit.com/r/OPNsenseFirewall/comments/ach76v/intrusion_detectionblocking_suricata_is_it_really/

        Jeff

        1 Reply Last reply Reply Quote 0
        • I
          informel
          last edited by

          thanks for the information,
          IT's just that I saw someone using Suricata on something more powerfull than SG-1100 with 4 GB of RAM and the CPU was really busy.

          If I don't turn everything on (not require for home use), it should be OK

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            It will work if you are stingy with the number of rules you enable. The SG-1100 has only 1 GB of RAM, and that can quickly get consumed by Suricata (or Snort) rules.

            See this thread for an example where the user had too many rules enabled and is running out of RAM during rules updates where Suricata (or Snort) will temporarily keep two complete copies of the rules in RAM.

            https://forum.netgate.com/topic/145192/snort-running-on-sg-1100-randomly-stops-working. While his issue was with Snort, Suricata is susceptible to the exact same issue if you enable too many rules.

            1 Reply Last reply Reply Quote 0
            • I
              informel
              last edited by

              Thanks for the info.
              Memory is so cheap these days, I do not understand why this thing as only 1 GB

              1 Reply Last reply Reply Quote 0
              • C
                costanzo @informel
                last edited by

                @informel I purchased a SG-1100 for my house and highly recommend it. I am running the following with no problem:

                pfBlockerNG devel (This is awesome - no more ads!)
                Snort (running only on the WAN)
                Acme (For let's encrypt)
                Avahi (so I can use AirPlay and AirPrint)
                OpenVPN
                7 VLANs
                DNS Resolver (on by default)

                My ISP is through Comcast and I have a 100/20 connection.

                As far as performance, I have seen no loss of speed. For example, I run a xfinity speed test and I get the speed I am paying for. OpenVPN from my iPhone works with no disconnects. Sometimes I forget to turn it off only to find it still running.

                I did run in to some issues with the Snort service stopping during updates, but after following suggestion from bmeeks to use the "connectivity" IPS profile I haven't had this issue since. I think Snort is a very resource needy service.

                Again, for a small environment like a home, in my opinion, is an excellent choice. I work in IT and this is what I run at home.

                G 1 Reply Last reply Reply Quote 3
                • I
                  informel
                  last edited by

                  Thanks for the info, you convinced me

                  1 Reply Last reply Reply Quote 0
                  • G
                    guitarchitect @costanzo
                    last edited by

                    @costanzo said in running Suricata/Snort on a SG-1100 not a good idea ?:

                    @informel I purchased a SG-1100 for my house and highly recommend it. I am running the following with no problem:

                    pfBlockerNG devel (This is awesome - no more ads!)
                    Snort (running only on the WAN)
                    Acme (For let's encrypt)
                    Avahi (so I can use AirPlay and AirPrint)
                    OpenVPN
                    7 VLANs
                    DNS Resolver (on by default)

                    My ISP is through Comcast and I have a 100/20 connection.

                    As far as performance, I have seen no loss of speed. For example, I run a xfinity speed test and I get the speed I am paying for. OpenVPN from my iPhone works with no disconnects. Sometimes I forget to turn it off only to find it still running.

                    I did run in to some issues with the Snort service stopping during updates, but after following suggestion from bmeeks to use the "connectivity" IPS profile I haven't had this issue since. I think Snort is a very resource needy service.

                    Again, for a small environment like a home, in my opinion, is an excellent choice. I work in IT and this is what I run at home.

                    Hopefully this isn't so old that you don't see this, but I'm wondering what you mean when you say you are running Snort on WAN only? I'm reading that the 1100 can be under-powered for IDS but as it's my house I don't think I need really crazy rules in place, I just want to know if/when something happens. i can only really afford the SG1100 right now and it would be great to hear your thoughts on this (and how it's going, a year later)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.