Snort, NanoBSD & Compact Flash writes



  • Hi,

    just installed snort on a pfSense 2 NanoBSD image that we've deployed to an Alix board with an 8GB CF Card as primary storage.  I'm surprised that Snort actually went on, as I was under the impression that the Snort package would only install on the full version of pfSense.  Given that it's actually installed, do I need to worry about the finite number of writes the CF card will sustain before it fails, or has something 'clever' been done with the newer NanoBSD builds to run Snort from a RAMdisk or similar ?

    If that is the case, will pfSense run like a 3-legged dog if Snort is running completely from RAM and the Alix only has 256Mb to start with ?

    Ideally this box is going to serve as the perimeter firewall for a small office of 10 staff or so with no VPN requirements, and WAN is typical UK spec broadband, so syncs at about 4mb down, 512k up.  Am I asking too much to run snort on such a low-spec device ?

    Thanks

    Jake



  • I tried this on my Alix on 30/3 cable here in Ireland, just 5 people using it, and even with snort with LOWMEM, it fell over in a matter of hours (OoM). I turned it off after that.

    I don't think flash writes is your primary concern in this case, ALIX doesn't have enough memory and processing power to run this properly in my opinion.



  • I have not done much testing of this on Alix.
    But in theory if you disable alert.log writing you should be fine if you setup the proper limits of RAM usage.
    Though there is no auto-tuning done on those limits by default to adapt to the environment where its running.

    Possibly a TODO on my list but not sure if/when i will come close to that.



  • Might have been too quick uninstalling it, I didn't tune at all, might have enabled too many patterns as well.

    Not required for my environment anyway, so couldn't be bothered ;D


Locked