Apu1c4 and snort



  • Hello

    I've bought an pcengines apu1c4 which has 1 Ghz dual core and 4 GB RAM.

    Currently I'm running pfSense 2.1.2-RELEASE (amd64) live on it with squid and havp (transparent http proxy).

    Memory usage is approx. 25%.

    Is it possible to use snort too with this hardware? Or has anyone tested a device with similar hardware specs? It may get very hot without fan?

    If it's possible to use it, which detection search method should I choose: AC-BNFA, ACS, AC-BANDED?

    Any help is very appreciated. Thank you.



  • @john.wayne1:

    Hello

    I've bought an pcengines apu1c4 which has 1 Ghz dual core and 4 GB RAM.

    Currently I'm running pfSense 2.1.2-RELEASE (amd64) live on it with squid and havp (transparent http proxy).

    Memory usage is approx. 25%.

    Is it possible to use snort too with this hardware? Or has anyone tested a device with similar hardware specs? It may get very hot without fan?

    If it's possible to use it, which detection search method should I choose: AC-BNFA, ACS, AC-BANDED?

    Any help is very appreciated. Thank you.

    Short should work fine.  I suggest either AC-BNFA (the default).  You may have to be a bit selective with rules, though, if you run the other packages listed.

    Bill



  • Thank you for the response.

    Is there any good tutorial / HowTo which snort rules to select for this setup?



  • @john.wayne1:

    Thank you for the response.

    Is there any good tutorial / HowTo which snort rules to select for this setup?

    At the top of this Forum is a sticky for a Snort How-To I put together a while back.  Some other folks have also contributed over the intervening months.  My suggestion to new users is to get a Snort VRT Oinkcode.  You can either register with them and get a free code, or pay $29 a year and get a subscription.  The difference (well, besides one is free and one is $29  :) ) is the paid subscription gets current rule updates.  The free code only gets rules after they have been published for 30 days.

    So once you have a code, enter it on the Global Settings tab and enable the Snort VRT rules.  Now go to the CATEGORIES tab and check the box to use an IPS Policy and choose either "Connectivity" or "Balanced" in the drop-down.  Save the change to create a set of rules based on the chosen policy.

    Bill



  • @bmeeks: Thank you, I will do that.



  • This might be useful for you too:

    @jflsakfja:

    AC-BNFA-NQ.

    AC-NQ is about 30% more ram efficient than AC-SPLIT, with an increased CPU usage.

    AC (plain) is like killing a fly with a deathstar. AC-NQ replaced it, as in AC (plain) is now obsolete, you get no added benefits from AC over AC-NQ.

    The best balance between RAM usage (more interfaces/more rules) and CPU is AC-BNFA-NQ. It's a single dropdown change, and an interface restart. Just try it, it will not bite.

    On a side note, 32GB RAM is suricata's 10Gbps territory.

    https://forum.pfsense.org/index.php?topic=64674.new;topicseen#new

    As is that member's contributions in general  ;D

    I changed my memory from AC-BNFA to AC-BNFA-NQ, and my total memory with Snort on 4 interfaces and some other packages is now 20% of 8GB = 1,6GB.



  • Greetings,

    Are you using snort now on apu1c4?
    What are your experiences?

    Regards



  • @stickybit:

    Greetings,

    Are you using snort now on apu1c4?
    What are your experiences?

    Regards

    It works very well and stable.

    I've the packages HAVP antivirus, snort and squid3 running.

    Memory usage is between 40% and 70% and CPU usage is very low (<10%).

    So far no problems with this setup  ;)



  • @john.wayne1:

    @stickybit:

    Greetings,

    Are you using snort now on apu1c4?
    What are your experiences?

    Regards

    It works very well and stable.

    I've the packages HAVP antivirus, snort and squid3 running.

    Memory usage is between 40% and 70% and CPU usage is very low (<10%).

    So far no problems with this setup  ;)

    is your apu1c4 still running stable with HAVP antivirus, snort and squid3?
    what kind of speed do you get?



  • @Bulldogg:

    is your apu1c4 still running stable with HAVP antivirus, snort and squid3?
    what kind of speed do you get?

    Yes, still running stable since months now.

    Speedtest reaches my provider limited bandwith maximum of 20 Mbps download and 2 Mbps upload.