Embedded hardware for snort
-
hello,
=is embedded hardware recommended at all for soho snort implementation? if not, what is your recommendation?
=is it possible at all to implement an alix2d13 (alix2d3 = 3 LAN / 1 miniPCI / LX800 / 256 MB / USB) on this scenario?thanks
-
hello,
=is embedded hardware recommended at all for soho snort implementation? if not, what is your recommendation?
=is it possible at all to implement an alix2d13 (alix2d3 = 3 LAN / 1 miniPCI / LX800 / 256 MB / USB) on this scenario?thanks
256 MB of RAM is woefully inadequate for even a modest Snort rule set. Snort will easily consume 2 GB or even 4 GB of RAM with a moderately comprehensive rule set. So I would not recommend running Snort on the hardware you listed.
Bill
-
the new Alix APU.1c4 now comes with 4GB.. wont this be enough for a 50 user organization
-
the new Alix APU.1c4 now comes with 4GB.. wont this be enough for a 50 user organization
The CPU is not powerful enough. It is possible to run on it (may be) but don't expect reasonable responses on page loads
Snort could run on 2GB if you relax the rules down to the bare minimum. Once rules are loaded in RAM, the CPU takes a hit on processing them against every bit of information going back and forth the firewall.
-
so do you know then any fanless embedded hardware that would run snort..target network is SMB..thx
-
I haven't tested the latest Atom processors. Some folks have got Snort to work on the earlier Atom models as well but I doubt the performance is worth going that route.
Why are you looking for embedded hardware? Is it becasue of space contraints?
You could assemble a simple 1U enclosure with a Celeron or i3 processor with a passive heat sink on it. That would be the best possible scenario as the Celeron/i3 will have the necessary power plus extra CPU cycles to spare in case in future you wish to do more on that box. A passive heat sink with a a picPSU should be super quiet.
Check this out…
http://www.mini-box.com/M350S-enclosure-with-picoPSU-80-and-60W-adapter
-
I haven't tested the latest Atom processors. Some folks have got Snort to work on the earlier Atom models as well but I doubt the performance is worth going that route.
Why are you looking for embedded hardware? Is it becasue of space contraints?
You could assemble a simple 1U enclosure with a Celeron or i3 processor with a passive heat sink on it. That would be the best possible scenario as the Celeron/i3 will have the necessary power plus extra CPU cycles to spare in case in future you wish to do more on that box. A passive heat sink with a a picPSU should be super quiet.
Check this out…
http://www.mini-box.com/M350S-enclosure-with-picoPSU-80-and-60W-adapter
The Atom N2800 I'm phasing out at home seems to max out at around 50Mbit/s with the Snort rules I use. I've got much higher hopes for my new C2758.
-
8 Cores may sound promising but I doubt it would be a huge difference. Atoms are not meant to do heavy processing. Plain vanilla pfSense will work great for basic home use.
Check this out.
http://www.neweggbusiness.com/Product/Product.aspx?gclid=CJSdjOuFsb0CFaVQOgodZBUAiw&Item=9B-13-182-855&nm_mc=KNC-GoogleBiz&cm_mmc=KNC-GoogleBiz--pla--Server+Motherboards-_-9B-13-182-855&ef_id=Uy4ydQAAAaRIQhwV:20140326203218:s
Looks great with Quad Gigabit NICs. Worth a shot :)
-
I just got that SuperMicro A1SRi-2758F. Really, really nice. It's practically purpose-made for a networking implementation. Pretty much on idle with Snort and Suricata running.
-
8 Cores may sound promising but I doubt it would be a huge difference. Atoms are not meant to do heavy processing. Plain vanilla pfSense will work great for basic home use.
Check this out.
http://www.neweggbusiness.com/Product/Product.aspx?gclid=CJSdjOuFsb0CFaVQOgodZBUAiw&Item=9B-13-182-855&nm_mc=KNC-GoogleBiz&cm_mmc=KNC-GoogleBiz--pla--Server+Motherboards-_-9B-13-182-855&ef_id=Uy4ydQAAAaRIQhwV:20140326203218:s
Looks great with Quad Gigabit NICs. Worth a shot :)
I'm not sure what your point was. You said an Atom isn't enough and then posted the very same Atom board I've got here as a replacement for my DN2800MT. The Avoton/Rangeley cores are significantly faster than the older Atoms. They really should have changed the name.
-
8 Cores may sound promising but I doubt it would be a huge difference. Atoms are not meant to do heavy processing. Plain vanilla pfSense will work great for basic home use.
Check this out.
http://www.neweggbusiness.com/Product/Product.aspx?gclid=CJSdjOuFsb0CFaVQOgodZBUAiw&Item=9B-13-182-855&nm_mc=KNC-GoogleBiz&cm_mmc=KNC-GoogleBiz--pla--Server+Motherboards-_-9B-13-182-855&ef_id=Uy4ydQAAAaRIQhwV:20140326203218:s
Looks great with Quad Gigabit NICs. Worth a shot :)
I'm not sure what your point was. You said an Atom isn't enough and then posted the very same Atom board I've got here as a replacement for my DN2800MT. The Avoton/Rangeley cores are significantly faster than the older Atoms. They really should have changed the name.
LOL. My point was if embedded hardware is what the OP really wanted then he could try this…. based on your recommendation of C2758.
-
I just got that SuperMicro A1SRi-2758F. Really, really nice. It's practically purpose-made for a networking implementation. Pretty much on idle with Snort and Suricata running.
Have you loaded all of Snort rules just to test it? If not, could you please load the entire list of Snort rules and do a speed test to see how much bandwidth is available with this new Atom processor.
It looks good to me but way too expensive for an Atom at the moment.
-
I just got that SuperMicro A1SRi-2758F. Really, really nice. It's practically purpose-made for a networking implementation. Pretty much on idle with Snort and Suricata running.
Have you loaded all of Snort rules just to test it? If not, could you please load the entire list of Snort rules and do a speed test to see how much bandwidth is available with this new Atom processor.
It looks good to me but way too expensive for an Atom at the moment.
Using the "Balanced VRT" ruleset, plus a dozen group selections from ET, my DN2800MT hit 100% on a single core from snort at ~48Mbit/s. The C2758 maxes my FiOS at 83Mbit/s with snort at 20% of a single core. Assuming that it scales up linearly, that would put it at a cap of 400Mbit/s, just about right since I've seen numbers of 5-10x the speed of the previous generation depending on the task.
Snort is supposed to be able to take advantage of QuickAssist but I've no idea if it actually is. If not, there's more progress to be made here.
EDIT: Updated C2758 with "real world" snort percentage & throughput estimate. I'm not sure what speedtest.net does, but it drives snort nuts…
-
Hmm.. so I suppose sticking with an i3/i5 is still best for faster routing speeds. I doubt the annual power consumption difference in terms of $$ between the latest Atom and i3 are going to be that huge.
-
Hmm.. so I suppose sticking with an i3/i5 is still best for faster routing speeds. I doubt the annual power consumption difference in terms of $$ between the latest Atom and i3 are going to be that huge.
Depends. If you're talking about two interface FW performance then yes, a dual-core i3 with a high clock speed is going to walk all over it. If you're talking about running it as a "router" with 4, 6, 8 or more interfaces, and you plan to use snort on those interfaces, I suspect the C2758 will come out ahead.
-
Shouldn't Snort running on multiple interfaces need to have rules loaded for each of those interfaces, which in turn require more RAM for loading rules?
How do I make pfSense run just as a "router". Isn't it functioning as a firewall and a router at the same time?
-
Yeah, but RAM is cheap. The new box I put in at home has 16GB now with room to expand to 32GB. Once 16GB SODIMMs are available I could bump to 64GB.
If you don't want to run snort then don't install it.
