Should I use Snort?
-
My pfsense system is going to be for a home network. Once I get it configured I will probably rarely check in on it. I'll most likely just check in on it every once and a while to make sure everything is running smoothly, and to see the resource usage, and squid usage.
I heard that Snort can be a resource hog. The more security the better, but on my home network speed is the most important thing to me.
So with all this in mind, should I run Snort or not?
-
No one has an opinion on this?
-
You don't give enough information for anybody to say. Your choice of hardware will make a difference to whether or not you can run snort. The choice of whether or not to run it however is entirely yours…
-
Snort for the most part is just FYI, while it can block the ip for sixty minutes, it's mainly just reports activity that "might" be bad. My snort let's me know that the spammer virus knocks on my door at least twenty times a day…. I've got system to spare, so I like to have it running (See this post on how to run it in ac-bnfa for best performance with lest memory usage http://forum.pfsense.org/index.php/topic,7028.0.html)
But it's an extra package for a reason, it's up to you if you want it running.
-
My system specs
2.14 Celeron (socket 478)
1GB DDR333
80GB WD 7200rpm HDD
Micro ATX ASRock Intel chip based motherboard
Intel NIC
Intel gigabit NIC
D-link wireless NICon the LaN there are 2 desktops, and a media server (HTPC with extra programs running for downloading, and media streaming)
But will enabling Snort affect the performance of my pfsense box at all, or does it just use up RAM?
-
Enabling any package will have a performance impact. Enabling snort, which inspects every packet will have a performance impact, the exact details of which will depend on how you configure snort and the bandwidth and traffic profiles.
Certainly your hardware should cope with a default configuration of snort given what you've said. You will however want to customise it to remove all rules that are irrelevant to you to keep overheads to a minimum.
-
unfortunately I'm not sure how to do that, or which rules I should or should not use, but I'm sure I could figure it out.
