WatchGuard Firebox x500 - HDD for Snort



  • Hello,

    I am planning to run Snort IDS on my x500. I was wondering if anybody can suggest me a hard drive brand/model and size that would be typical for Snort purposes. I have a 3.5 and 2.5 laptop hard drives. 3.5 one is too big and won't fit. I can have it running but then I can't slide in the top of the box. 2.5 is too small but the problem is that is doesn't use a standard port…I can't even figure out what the size of the connector. It is smaller than the one inside Firebox.

    If anybody can just shoot me a few pointers on this one. I am open to purchase one if there is no other connector I can use for my 2.5 inch laptop hard drive. In terms of size of the drive, I wasn't going to get anything less than 80g, but please let me know what is a typical size for hosting Snort signatures.

    I am very new to pfsense but so far it has been a great experience. Got my OpenVPN running and would love to have a working IDS on my house network.


  • Netgate Administrator

    You should use a 2.5" HD because there is no easy way of providing power to a 3.5" drive. The HD bay on the front is designed to fit a 2.5" laptop drive. Watchguard used a 40GB drive in the SSL-Core box, which is almost identical to the X500, however getting hold of the correct caddy is almost impossible.
    It's been a while since I looked inside one of those boxes but other people report simply connecting the drive. So you're saying that the short cable inside the drive bay is not 44-pin IDE?

    Steve



  • Steve,

    That is what I am reading on the Internet. It suppose to be 44 pin IDE. I was trying to use Toshiba 2.5 2A02 hard drive, but it doesn't fit that connector. So trying to figure out whether connector on the box is not 44 pin, or connector on the hard drive is not 44 pin. If you can confirm that Firebox X500 uses 44 pin that would be great.

    Also, do you know what should be a good size for running IDS signatures?

    http://www.amazon.com/MK1031GAS-Toshiba-Super-Slimline-HDD2A02/dp/tech-data/B000JKZWOK/ref=de_a_smtd


  • Netgate Administrator

    Ok, I opened my X700 (same box).
    On the motherboard itself there are two IDE connectors at the back right just behind the CF card. One is labelled IDEA1, that is a 44-pin laptop style connector, the other is labelled IDEB1, that is a standard 40-pin IDE connector.
    The hard disk caddy and it's carrier is connected to the 44-pin socket. The very short piece of cable used should be sufficient to connect your drive. However I tried connecting a drive I had to hand and the master/slave select pins on the back of the drive obstructed the cable connector. Is that the issue you are seeing?

    The Snort signatures should not be more that a few GB. If they are the firebox will struggle because it doesn't have enough RAM to hold them usefully. 256MB (512MB max.) is a small amount of RAM for Snort which is very memory hungry. You will have to be careful not to load too large a signature base.

    Steve



  • Steve,

    The male connector on the hard drive is too big for 44 pin IDE on firebox (short wire from mother board that attached to the hard drive bay).

    I have 512 of RAM. You don't think it will be sufficient to run Snort on this device?



  • I found out what interface is on the drive. Its an ATA-6. That would explain why it doesn't fit. Sorry I don't play around with hard drives often.

    But yeah do you think IDS will work on this box if it has 512mb of RAM?


  • Netgate Administrator

    Do you mean the plastic part of the connector is too large to fit or it has too many pins or the pin spacing is wrong?

    Snort will run but you will have to be careful not to ask too much of it. If it starts using swap space because it ran out of RAM it'll slow down dramatically!

    Steve

    Edit: Ah, ATA-6. It should still fit physically though.  :-\



  • Firebox connector is too small. The number of pins looks similar but spacing between the pins is different.


  • Netgate Administrator

    Weird. Googling for images of that drive it looks standard.
    There are two groups of pins. 44 pins (in two rows of 22) that the connector should fit onto. Separately there are 4 pins that are used for master/slave/cable selection. The connector on the firebox cable is quite wide, because it doesn't have to connect to a drive normally, and it obstructed by any jumpers on the select pins on my sample drive.

    Any chance of a photo?

    Steve



  • Yeah I will upload them later when I have access to the box. I will attach pictures of the wire and connector next to it. The male on HDD is bigger size than femal connector. Spacing is wider and the connector is longer.


  • Netgate Administrator

    So more like a standard desktop IDE connector? I've never seen a 2.5" IDE drive with anything other than the normal 44-pin small pitch connector. I await the photos.  :)

    Steve

    Here's a picture of my drive and cable for comparison. It's a 20GB Toshiba drive.

    Erm… photo a bit bigger than expected!

    ![xcore ide cable.jpg](/public/imported_attachments/1/xcore ide cable.jpg)
    ![xcore ide cable.jpg_thumb](/public/imported_attachments/1/xcore ide cable.jpg_thumb)



  • Steve,

    I figured it out. I was being stupid…honestly...

    Quick question, which pins need a jumper to configure this drive in the slave mode. I need to figure out how I can upload signatures to the IDE but run pfsense of the current CF card.

    Thanks for your help...kinda wasted your time...



  • Yeah…so far the box is not detecting the drive when I ssh into the shell and do "mount" and "df"...



  • Oh man. I feel like all odds are against me here…I can't find serial cable to get into BIOS... ::)


  • Netgate Administrator

    The jumper setting for master/slave is different for each drive but there is usually some instruction marked on the drive itself.
    There is also a jumper on the motherboard I have a feeling could be something useful here, I don't have the box to look at right now.

    If you get the box detecting the drive much the easiest way to use it is to boot from the HD exclusively, remove the CF card. Using both media types is not really a supported option. It can be done but there is some command line tweaking necessary and it probably wouldn't survive an update.

    Accessing the bios on that box is not easy, you cannot do it with just a serial cable. There is no console redirect. You have to use a PCI graphics card and a keboard header connector.  :(

    Steve



  • Is there a way to copy the content of the CF card to the hard drive? Fresh install is not going to work here for me since I have multiple patches installed on the CF card that fix issues with LED and LCD.



  • Steve,

    Let me know if there is a way to port everything that I got on my CF card to the IDE hard drive. Let me know if I should create a separate thread in different category. Thanks for your help.


  • Netgate Administrator

    No there's no way to move everything from Nano install to the full install. However you can backup and restore your config file to the new install. The config file is supposed to contain everything but if you have used the old manual LCD install and put WGXepc on there these will need manual reinstatement. Think of it as a good excuse to document all your custom changes.  ;)

    This is your thread so if the topic has changed slightly I don't think it's a problem.

    Steve



  • Steve,

    Thanks for all your help. I think I will leave my Firebox alone for now. I am thinking about putting Snort on my Windows Server 2008. Looking at different typologies here. Looks like just need another NIC on it and SPAN a port on a switch. I am not very good with Linux…PfSense is awesome though...


Log in to reply