Snort - Best Search Method for Core 2 Duo, 4GB RAM. ET Open rules ?



  • Hello.

    I noticed that my CPU was hitting 77 degrees C with my 100Mbps connection saturated.

    I am running PFblockerNG (just DNSBL Easylist, no IP lists) and Snort (free VRT, Community and ET Open on just the LAN)

    When I disabled Snort, my CPU temps and load DRASTICALLY dropped. Btw I had nearly every ET Open rule selected.

    CPU: Core 2 Duo 3Ghz
    RAM: 4 GB
    Storage: Sandisk 64GB SSD

    What Search Method is ideal for this setup ? Default is AC-BNFA.  I notice that my system is only using 1.8GB out of the 4GB available.

    Is one of the search methods easier on the CPU but better utlilizes the 4GB ?

    Also, what about ET Open rules ? For VRT, I have IPS Policy Selection set to "Balanced"

    There is no Policy for ET Open rules.  Which ones are recommended for home / home office use ? I am NOT running any servers btw.


  • Moderator

    Try AC-BNFA-NQ



  • @THS:

    Hello.

    I noticed that my CPU was hitting 77 degrees C with my 100Mbps connection saturated.

    What Search Method is ideal for this setup ? Default is AC-BNFA.  I notice that my system is only using 1.8GB out of the 4GB available.

    Is one of the search methods easier on the CPU but better utlilizes the 4GB ?

    Also, what about ET Open rules ? For VRT, I have IPS Policy Selection set to "Balanced"

    There is no Policy for ET Open rules.  Which ones are recommended for home / home office use ? I am NOT running any servers btw.

    I have a similar set-up to your system running snort and its using less than 1GB!

    Try AC-BNFA-NQ for search method.

    Personally I do not tick/use IPS Policy,  I pick the rules manually (untick that option to pick rules manually). I also use Snort GPLv2 Community Rules (VRT certified)

    If you choose to pick the rules manually I recommend starting with the following rules below, test them for false positives and suppress the false positives there will be quite a few when your just starting to use snort. Add new rules as you go along test and suppress. Good luck!

    Start with these:
    emerging-malware.rules, emerging-trojan.rules, emerging-worm.rules, emerging-ciarmy.rules, emerging-current_events.rules, emerging-dshield.rules,  emerging-compromised.rules, emerging-scan.rules, emerging-info.rules, emerging-exploit.rules,  emerging-mobile_malware.rules, emerging-misc.rules.


Log in to reply