Snort question To Snort, or not to Snort



  • Hello all, after reading the forums for hours, and not finding what I was looking for I decided to ask the forum for help.

    I am trying to determine if there are any major issues with running snort on my platform/environment

    Hardware: Jetway NC9E-525 Mini-ITX Motherboard, Intel Atom D525, 5 Gig ports, 4GB RAM, SSD (SanDisk X110 64GB),
    Software: PF-Embedded-4GB-VGA on a SSD,  /var & /tmp RAM Disks are both 300MB each, RRD backup every 12 hours, DHCP lease backup never.
    Interfaces: WAN, LAN, OPT1, na, na
    VPN: Less that 12 Openvpn clients

    From what I have configured so far I should not be killing my SSD (embedded with RAM disks, and limited backups)

    I understand that Snort would add use more RAM, and that's fine as I am only using 10% of 4GB currently.

    Has anyone ran snort on NANO 4GB edition and had any major issues?  I would really like to use this package.  Thanks in advanced for anyone's comments.

    Ash,



  • @ashes00:

    Hello all, after reading the forums for hours, and not finding what I was looking for I decided to ask the forum for help.

    I am trying to determine if there are any major issues with running snort on my platform/environment

    Hardware: Jetway NC9E-525 Mini-ITX Motherboard, Intel Atom D525, 5 Gig ports, 4GB RAM, SSD (SanDisk X110 64GB),
    Software: PF-Embedded-4GB-VGA on a SSD,  /var & /tmp RAM Disks are both 300MB each, RRD backup every 12 hours, DHCP lease backup never.
    Interfaces: WAN, LAN, OPT1, na, na
    VPN: Less that 12 Openvpn clients

    From what I have configured so far I should not be killing my SSD (embedded with RAM disks, and limited backups)

    I understand that Snort would add use more RAM, and that's fine as I am only using 10% of 4GB currently.

    Has anyone ran snort on NANO 4GB edition and had any major issues?  I would really like to use this package.  Thanks in advanced for anyone's comments.

    Ash,

    It should work OK, but with the /var partition as a RAM disk some files Snort uses will not be persisted and it may error out on a reboot.  In particular the IP REP preprocessor blacklist and whitelist files live in /var/db/snort/iprep.

    Bill



  • Yikes, while I would love this package, I do not want it to fail on reboot.  Maybe later Nano-PF will get some extra Packages love :) 
    Bill - Thanks for replying so quickly.  Keep up the great work as well!

    Ash,



  • It should only be a problem if you enable IP reputation lists in Snort. Not really a big deal. The Snort.org rules don't include any lists as far as I can tell and the OpenET rules include one list, but you can also load that up on pfBlocker instead.



  • fragged is correct.  This only impacts the IP REPUTATION preprocessor.  It is disabled by default.  I was just pointing it out as one area that can fail with RAM disks.  The downloaded rules tar balls and the individual interface rules are stored on the /usr partition.

    There once was a bug where Snort did not put the /usr partition in read/write mode when trying to update some files, but I think I have all of those fixed now.  Report back if you notice any errors in the system log about attempting to write to a read-only partition.

    Bill