Snort Hardware Requirements



  • I have been running the (latest) 64-bit embedded version of pfSense for the past eight months without any significant problems.  I have, until now, loaded no packages, however, I am currently experimenting with Snort.  My platform is a Supermicro Atom D525 motherboard with 8 GB of RAM and I am running pfSense from a 4 GB USB thumb drive.  The only (marginal) disadvantage that I have encountered with this platform is delayed booting time due to slow program loading from the thumb drive.  I am wondering if it is possible to run Snort is such a way that it does not write its logs to my USB thumb drive (as I do not desire the drive to prematurely fail due to excessive read/write activity)?   I know Snort must write rule updates to the USB thumb drive, but, assuming the updates are not large files, should I be reassured that adjusting Snort's settings to update the rules no more often than on a daily basis will not result in premature drive failure?

    I am wondering if activating Snort is really necessary in my home environment (I have set no ports open)?  Opinions welcome, thank you.

    ???



  • @Nonsense:

    I am wondering if activating Snort is really necessary in my home environment (I have set no ports open)?

    If you don't know why you are running snort, don't run it.



  • That sort of answer does not help.



  • You will probably need a hard drive (or a place for snort to store the logs) to run snort. I'm sure it can be done (with just a thumb drive) but snort compares network packets and listen to every packet sent and received across the wire that is being monitored. Snort has a database of traffic signatures that are common network attacks or other malicious activity. Snort compares every packet to that database. If a match is found then rules can be configured to take action. That action varies between passive response (just logging it or sending an email) to active response (doing something to stop the malicious activity from happening).

    And, the question you need to ask yourself is "What do I do WHEN my network gets hacked?" not "What do I do IF my network gets hacked." It's only a matter of time before it happens. Do you want to be alerted when a known attack enters your network from the Internet or goes across your LAN? This is a job for Snort.



  • Thank you, SlowGrind, for your reply to my post.  What I would like to do is to implement some of the blocking functionality of Snort, however, without the verbose logging to my thumb drive–I'd rather just like to be able to see the Snort logs stored in RAM and when I lose them while rebooting, well I didn't really need them saved anyway.  I found one Snort setting that limits Snort drive log space in a NanoBSD build; would adjusting this setting to zero (0) work?  I am doing my content filtering via DynDNS Internet Guide and that works pretty well for me, so I don't need Squid for my particular application.

    In thinking more about this problem, it would be nice if pfSense could be set up to use two drives: one (solid state) drive for the (embedded) operating system and one (mechanical) drive for all logging.  It would seem to me that such a setup might provide a user the best of both worlds--if the logging drive got corrupted during a power outage/reboot, the operating system drive would remain unaffected.



  • How big are those logs? /tmp (which is actually in the RAM) is not enough for them to be stored? And maybe some automation to write them to disk only before reboot.


  • Netgate Administrator

    @Nonsense:

    I am wondering if activating Snort is really necessary in my home environment (I have set no ports open)?

    I think I can say, with a high degree of probability: it is not necessary.
    That's from a security point of view. However there's nothing to stop you running it for educational purposes. I have never tried to run snort from a flash drive, I would advise switching to a full install on a HD if you want to run Snort.
    Be aware that running Snort is all about tuning it to your situation. If you aren't careful you will have far more false positives than real hits and it will become more trouble than it's worth.  ;)

    Steve



  • Thanks, Steve; I was hoping you would see my post.  I have also read somewhere in the packages forum that Snort may slow loading web pages down while it writes logs to memory; so if it is writing to a slow device (such as a USB drive), it might process very slowly?

    I can buy a 32 GB San Disk USB thumb drive at Radio Shack today for ca. $24.00, so available space for log storage does not appear to be an issue.  I am still wondering if storage logging can be turned off in Snort?



  • I think you can turn logging off but not to sure, that is one of the main reasons to use snort. To go though the logs and look at what has been going down or up the wire. You probably just want to enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet sent down the wire.



  • @Nonsense:

    I am wondering if activating Snort is really necessary in my home environment (I have set no ports open)?

    My answer is not hardware related, but:

    I assume you mean all ports from Internet is closed, but all ports outward is open.

    If/when your computer is compromised by malicious code, I can bet that it happens while surfing the web and a webpage will take advantage of a vulnerability on your system. (PDF, flash, browser, java or similar). The malicious code might have a call back function so it connects to a server that either upload new mailicious code, adware, or are able to control your machine. This connection will be done in intervals and will never be initiated from they outside, but from your computer. So having all ports blocked will not help you.

    Snort, might be able to detect this traffic, but that depends if you are willing to use time to tune Snort and actually use time to investigate the alerts. If not, you will not have any advantage of using Snort.

    You would probably use less time by having your system patched all the time and run scans of your systems now and then. Minimizing the risk of actually being compromised by surfing the web.

    While I'm at it, here are something I would recommend (even if you didn't ask):
    Personal Software Inspector (PSI) - Free for personal use. Scans all programs installed and report of outdated programs. Really useful
    Qualys Browser check - Checks if your browser (Chrome, FF and IE), plugins, FW, AV, WU are vulnerable or outdated.
    Firefox plugin checker


Locked