Net4801 fast enough for snort?



  • Hello everyone….

    I resently got hold of an Soekris net4801(266mhz, 128mb). I have installed the nanobsd edition on it. Latest 1.2.3 version. I use a 30x CF card for the installation. It seems to work fine, and after som tweeking it is up an running most of my services. pfsense is an exelent distro :-)

    So for the million dollar question. Is this hardware fast enough for running the snort package? The package is functional on the nano version, but on the packet webpage the author states that a minimum of 500mhz and 256mb ram is needed. I seem to get the package installed and configured, but there are no snort events in the log what so ever.

    The thing is that I used to be a smoothwall user with snort on it, and it looks like I have a lot of attacs om my wan interface, so I would really like to have snort up and running. I have a vmware server on the lan i can install snot on, but that would demand a lot of tweeking av setup to get it working.

    Somneone who can help?

    Best regards
    Baard Lindberg
    Norway



  • I once used someone's else net4801 and it wasn't fast enough to even use QoS on a cable connection, so I doubt it would be fast enough to run snort.

    I have a net5501 at home it is replacing an old P3 750 MHz and I find my QoS way less responsive with the net5501-70 than with my P3 750. My net5501 also have a vpn offloading board from soekris, since I have 3 IPSec vpn up all the time.

    I'm now looking to sell that Soekris to buy Intel Atom N330 based board. I paid near 500$ for the soekris would let everything go for 300$ including The case, the 4 ports 10/100 nick (soekris), the vpn board and the power supply for North America, I'll even leave the CF that is in it right now, everything is like new and it's been in use for 5 month now.

    MageMinds



  • After posting my last post, I found that pfSense does not enable polling by default and that you have to enable it and tune it to make it efficient for the speed your get from your ISP.

    Finally my router as fast and responsive when I download or upload at QoS maximum throughput. I can now top my connexion of peer-2-peer up and down and make a speed test over http (high priority) and get like 85% of the speed instantaneously, before activating polling the speed handover was slowish, I could have get the same speed, but it took too much time for the speedtest.net, the test finished before the router could hand over the speed. Now it's almost as if I'm not even doing p2p.

    One thing that didn't change, the Interrupts usage didn't decrease at all, the CPU always use 10% interrupts on idle and about 20% at 10 mbits, my gain was responsiveness.

    Thanks to the forum for all the informations!

    Edit: now with kern.hz=532 (instead of 1000) I'm hovering around 4~5% interrupt at idle, with up and down maxed out it's now around 25% interrupts and still high responsiveness from the router QoS process.



  • You'll probably be able to run snort.  That said you'll almost certainly have memory issues and you'll probably not be able to use anything more than a few simple rules (ie those looking for IP addresses).  The more rules you have and the more complex they are the more processing power (and memory) you need.



  • Thank you for your help. I have tested Snort on it and it did work, but very slow. I have orderd new hardware for pfsense and that will probably solve all my problems :-)

    Regards
    Baard


Log in to reply