Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - Best Search Method for Core 2 Duo, 4GB RAM. ET Open rules ?

    IDS/IPS
    3
    3
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      THS
      last edited by

      Hello.

      I noticed that my CPU was hitting 77 degrees C with my 100Mbps connection saturated.

      I am running PFblockerNG (just DNSBL Easylist, no IP lists) and Snort (free VRT, Community and ET Open on just the LAN)

      When I disabled Snort, my CPU temps and load DRASTICALLY dropped. Btw I had nearly every ET Open rule selected.

      CPU: Core 2 Duo 3Ghz
      RAM: 4 GB
      Storage: Sandisk 64GB SSD

      What Search Method is ideal for this setup ? Default is AC-BNFA.  I notice that my system is only using 1.8GB out of the 4GB available.

      Is one of the search methods easier on the CPU but better utlilizes the 4GB ?

      Also, what about ET Open rules ? For VRT, I have IPS Policy Selection set to "Balanced"

      There is no Policy for ET Open rules.  Which ones are recommended for home / home office use ? I am NOT running any servers btw.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        Try AC-BNFA-NQ

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • H
          humps
          last edited by

          @THS:

          Hello.

          I noticed that my CPU was hitting 77 degrees C with my 100Mbps connection saturated.

          What Search Method is ideal for this setup ? Default is AC-BNFA.  I notice that my system is only using 1.8GB out of the 4GB available.

          Is one of the search methods easier on the CPU but better utlilizes the 4GB ?

          Also, what about ET Open rules ? For VRT, I have IPS Policy Selection set to "Balanced"

          There is no Policy for ET Open rules.  Which ones are recommended for home / home office use ? I am NOT running any servers btw.

          I have a similar set-up to your system running snort and its using less than 1GB!

          Try AC-BNFA-NQ for search method.

          Personally I do not tick/use IPS Policy,  I pick the rules manually (untick that option to pick rules manually). I also use Snort GPLv2 Community Rules (VRT certified)

          If you choose to pick the rules manually I recommend starting with the following rules below, test them for false positives and suppress the false positives there will be quite a few when your just starting to use snort. Add new rules as you go along test and suppress. Good luck!

          Start with these:
          emerging-malware.rules, emerging-trojan.rules, emerging-worm.rules, emerging-ciarmy.rules, emerging-current_events.rules, emerging-dshield.rules,  emerging-compromised.rules, emerging-scan.rules, emerging-info.rules, emerging-exploit.rules,  emerging-mobile_malware.rules, emerging-misc.rules.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.