Question on Snort with OpenAppID



  • Snort newbie here - got it installed on a 4 WAN setup on cable modems with using 3 routers in the middle due to cable modems pulling same gateway.  I want to use Snort and the OpenAppID to block torrents.

    My problem is when I enable Snort on all my WAN interfaces with the IPS policy - Balanced , it seems to block or slow down almost all Internet browsing.

    I inserted my custom Snort rules to look at the AppID I wanted as well.

    What should I look to disable or filter out?  For reference this is the setup:

    Cable Modem 1  - PFSense WAN 4
    Cable Modem 2 - Linksys Wired Router 10.10.100.1 255.255.255.248 - PFSense WAN 3 - 10.10.100.3 (set as DMZ host on 10.10.100.1)
    Cable Modem 3 - Linksys Wired Router 10.20.100.1 255.255.255.248 - PFSense WAN 2 - 10.20.100.3 (set as DMZ host on 10.20.100.1)
    Cable Modem 4 - Netgear Wired Router 10.30.100.1 255.255.255.248 - PFSense WAN 1 - 10.30.100.3 (set at DMZ host on 10.30.100.1)

    I enabled Snort on all the WAN interfaces with the same settings and AC-SD with OpenAppID enabled.  I have a 32GB Swapfile on the firewall. It is running on an HP DL360G5 with 12GB RAM , 76GB RAID 1 on a P4000 controller with 8 NIC's on 2 Intel 4 port ToE server NIC's with an Intel Quad core Xeon 2Ghz CPU.

    Any help or direction you can provide is appreciated.


  • Moderator

    @sideout:

    I enabled Snort on all the WAN interfaces with the same settings and AC-SD

    Try AC-BNFA-NQ. The other memory managers seem to have issues even if you have a box with sufficient Memory. I have had issues in the past with boxes with 32GB RAM using some of the other AC memory managers.



  • Awesome . I will give that a try tonite and test it out.  Thanks for the quick reply.


Log in to reply