Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SG1100 and Snort?

    Scheduled Pinned Locked Moved Official Netgate® Hardware
    7 Posts 4 Posters 1.8k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      raspier
      last edited by

      Relatively new to my SG1100. Got it for my house. Set up Snort and it failed in about 2.5 minutes, consistently. Logs show: pid XXXX (snort), jid 0, uid 0, was killed: failed to reclaim memory
      OK - that is pretty clear.

      Looked around blogs and videos and posts here... seems minimizing the ruleset would lessen the memory consumption, so

      • I deleted Snort,
      • rebooted and then
      • re-added Snort and
      • enabled one interface for Snort.
      • I set the IPS Policy to "Connectivity" from Balanced.
      • I added ONLY the ET Open Rules as a test (so the long list of Snort Text Rules, Snort SO rules and OPENAPPID rules are all there, but not enabled), and no other packages loaded (except Wireguard but it is not configured or enabled) and Snort now loads for about 4mins before it dies. Same error:
        pid XXXX (snort), jid 0, uid 0, was killed: failed to reclaim memory

      Q1) Is there any practical way to use Snort on an SG1100 or is it really not possible with only 1GB ram? And if so,

      Q2) can there be a robust implementation of Snort on a 2100 with only 4 GB RAM, and be able to upgrade the rules and therefore host 2 copies of the rules in RAM at the same time while the old rules are removed and the new ones are coming in, along with a Wireguard VPN? Or is some crappy mini PC the way to go?

      Thanks

      S JonathanLeeJ 3 Replies Last reply Reply Quote 0
      • S Offline
        SteveITS Galactic Empire @raspier
        last edited by

        @raspier Do you have any other packages running? You can minimize ZFS ARC but that is supposed to release if the OS needs RAM. How much RAM is in use on your router?

        Live-reloading the rules will take more RAM, you could just not do that, and restart Snort.

        We've used the similar Suricata for several years, and many of our clients have 2100s. 4 GB RAM is a big step up from 1 GB, to pfSense. I do not know if we've ever installed either on an 1100. We did on 3100s (2 GB RAM).

        FWIW by default the Snort config would survive deleting and reinstalling it (which is how the package upgrades) so that step doesn't really help.

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
        Upvote 👍 helpful posts!

        R 1 Reply Last reply Reply Quote 0
        • JonathanLeeJ Offline
          JonathanLee @raspier
          last edited by

          @raspier you have SO rules can you please share a screen shot of that the arm processor does not do so rules they should not even be there.

          Make sure to upvote

          1 Reply Last reply Reply Quote 0
          • bmeeksB Offline
            bmeeks
            last edited by bmeeks

            An SG-1100 is just not enough hardware to run Snort well. Maybe if you only run about 100 rules tops, it would work 😊. Really need 4GB of RAM to run either of the IDS/IPS packages comfortably. You can get them to work in 2GB boxes, but it's dicey - especially if you run any additional packages.

            The error you are seeing is the OS going into full panic mode and killing the largest memory consuming process in order to preserve critical operating system processes. In your case, Snort is the biggest consumer of RAM, so it is chosen by the OOM (out-of-memory) Killer subroutine as the process to be nuked so that the system can survive (not crash by running critical processes out of memory).

            R 1 Reply Last reply Reply Quote 0
            • R Offline
              raspier @SteveITS
              last edited by

              Thanks, @SteveITS
              The box otherwise seems to run 30-40% RAM consumption. No other packages running - the the OOTB pfSense items. Ya - I am thinking this is the wrong HW because of the 1GB RAM limitation

              1 Reply Last reply Reply Quote 0
              • R Offline
                raspier @bmeeks
                last edited by

                @bmeeks Yes - that's what I figured it was doing. At least it was super consistent. :-)

                Hmmm.... more shopping!

                1 Reply Last reply Reply Quote 0
                • JonathanLeeJ Offline
                  JonathanLee @raspier
                  last edited by JonathanLee

                  @raspier The 2100-MAX runs Snort really well but it wont do SO objects. It does everything else. See Snort SO rules I have a paid subscription with a code and everything but the SO rules never populate do they show up on your 1100?

                  Screenshot 2025-07-11 at 16.34.49.png

                  "Your Netgate 2100-MAX uses an ARM64 CPU (Marvell ARMADA).

                  ❗ Important Limitation:

                  Snort SO rules are precompiled binary modules. Cisco/Sourcefire only provides precompiled SO rules for x86_64, not ARM.

                  That means SO rules are not available on the Netgate 2100, 3100, 1100, or any ARM-based device." So how does your show up???

                  Make sure to upvote

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.