Question on Snort with OpenAppID
Snort newbie here - got it installed on a 4 WAN setup on cable modems with using 3 routers in the middle due to cable modems pulling same gateway. I want to use Snort and the OpenAppID to block torrents.
My problem is when I enable Snort on all my WAN interfaces with the IPS policy - Balanced , it seems to block or slow down almost all Internet browsing.
I inserted my custom Snort rules to look at the AppID I wanted as well.
What should I look to disable or filter out? For reference this is the setup:
Cable Modem 1 - PFSense WAN 4
Cable Modem 2 - Linksys Wired Router 10.10.100.1 255.255.255.248 - PFSense WAN 3 - 10.10.100.3 (set as DMZ host on 10.10.100.1)
Cable Modem 3 - Linksys Wired Router 10.20.100.1 255.255.255.248 - PFSense WAN 2 - 10.20.100.3 (set as DMZ host on 10.20.100.1)
Cable Modem 4 - Netgear Wired Router 10.30.100.1 255.255.255.248 - PFSense WAN 1 - 10.30.100.3 (set at DMZ host on 10.30.100.1)
I enabled Snort on all the WAN interfaces with the same settings and AC-SD with OpenAppID enabled. I have a 32GB Swapfile on the firewall. It is running on an HP DL360G5 with 12GB RAM , 76GB RAID 1 on a P4000 controller with 8 NIC's on 2 Intel 4 port ToE server NIC's with an Intel Quad core Xeon 2Ghz CPU.
Any help or direction you can provide is appreciated.
I enabled Snort on all the WAN interfaces with the same settings and AC-SD
Try AC-BNFA-NQ. The other memory managers seem to have issues even if you have a box with sufficient Memory. I have had issues in the past with boxes with 32GB RAM using some of the other AC memory managers.
Awesome . I will give that a try tonite and test it out. Thanks for the quick reply.