Snort and firewall rules



  • hello everyone.
    I have been running snort for nearly a month now and There are a couple of IP address are blocked on the daily basis. Therefore I am consider blocking ips from firewall rule set.
    Between snort and firewall rules set which one of them will consume less resources(cpu)?
    I am opening to any other suggestions? Thank you in advance.  :)



  • Not enough difference in resource consumption to really matter with today's fast CPUs and ample RAM.  Once Snort makes a "block" decision, all it does is insert the IP into a pre-existing pf table in the firewall.  So the blocking is done the same way.  It's true that using just a firewall rule on the IP will block immediately based on just the IP.  Depending on how Snort is blocking (content coming from the IP or just the IP on a list), Snort might take a tiny bit longer to block and use a tidbit more CPU time.

    If you are sure the IP is a static one, and you want to always block it, then no problem inserting it into a rule.  Just remember this – your WAN by default blocks all inbound traffic except what you explicitly allow, or if the traffic is a stateful reply to a previous outbound packet. Snort runs in promiscuous mode on the interface, so it sees and acts on all traffic even if that traffic is in fact default-blocked by the firewall.  I don't know your particular situation, but it might be that you don't need to worry about those two IPs if they are already being default-blocked by the inbound traffic rules in your firewall.

    Bill



  • Adding my 2cents, with Snort enabled I consistently loose a 100Mbs in download speed when doing speed tests either with speedtest.net or dslreports.com/speedtest, same differential with either. Upload appears to be unaffected.

    I am using a SG-4860 with CenturyLink Gigabit service.

    Here is my Snort setup:
    WAN - AC-NQ with only emerging-ciarmy.rules and emerging-rbn.rules enabled
    LAN - AC-NQ with using balanced Snort IPS policies

    My thought was that with quad-core processors and Intel NIC's, this box should easily handle most anything thrown at it.

    Thoughts?

    Thanks,
    Brent



  • I don't have a gigabit connection, so I've never seen any issue with Snort on my box.  I didn't mean to say Snort won't take CPU cycles, I was trying to say that the blocking action of Snort and the firewall are similar (because Snort just asks the firewall to block).

    It is true that Snort can take time to examine a packet and come to a block decision.  Text rules are slower than IP Reputation List rules, but either of these is going to be slower than a straight firewall packet filter block.

    It's just that I think you need to start getting well north of 100 megabits/second before that starts to impact speeds.

    BTW – I'm jealous of those with gigabit connections.  I have a blazing fast 24/2 megabits/sec cable modem... :(.  I could probably run Snort on an Atari 2600 processor chip and still get my line speeds... ;D.

    Bill



  • @superweasel:

    Adding my 2cents, with Snort enabled I consistently loose a 100Mbs in download speed when doing speed tests either with speedtest.net or dslreports.com/speedtest, same differential with either. Upload appears to be unaffected.

    I am using a SG-4860 with CenturyLink Gigabit service.

    Here is my Snort setup:
    WAN - AC-NQ with only emerging-ciarmy.rules and emerging-rbn.rules enabled
    LAN - AC-NQ with using balanced Snort IPS policies

    My thought was that with quad-core processors and Intel NIC's, this box should easily handle most anything thrown at it.

    Thoughts?

    Thanks,
    Brent

    Although I don't have Gigabit connection service, having 250/20 now,  but I do not have the speed issue at all, I got same result from speedtest.net and dslreport.com/speedtest with Snort and pfBlockerNG enabled: 326/21.  In fact, I had the issue with Squid3 installed. By pass it, I get the speed what I use to get.



  • Thanks everyone for their inputs, especially bmeeks . I recently purchase the gold subscriptions :) ,  time for me to do some reading before asking some noob questions.

    Cheers


Log in to reply