Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] running Snort on a consumer-grade router



--
David

On Wed, Jan 18, 2012 at 3:20 AM, Tom Metro <tmetro-blu at vl.com> wrote:
> Anyone tried running Snort on a consumer-grade router?
>
> I was curious if it could be installed on a router running Tomato
> firmware, and ran across this:
>
> http://tomatousb.org/forum/t-305093/snort-and-dansguardian-on-tomatousb
>
> ?...you must first install Optware...
> ?Then you can install Snort and Dansguardian
>
> Optware (a debian-like package management system) was expected, but I
> hadn't heard of DansGuardian[1], which is a "web content filter."
> Something I have no interest in, and I'm assuming just an optional,
> related tool mentioned because the OP asked about it.
>
> 1. http://dansguardian.org/?page=whatisdg
>
> More importantly another post in the same thread says:
>
> ?Snort, on the other hand, is FAR too memory-hungry for use on a router
> ?unless you go with a pitifully reduced ruleset. It barely fit on an
> ?otherwise-empty RT-N16 with reasonable rules defined.
>
> As I understand it, Snort relies on libpcap to inspect the packets
> flowing through the router. I wonder if there are any mechanisms for
> running libpcap on the router as usual, but running the more memory
> intensive packet analysis on a full server inside the LAN. This should
> constrain the memory footprint, though I could see such a setup still
> adding CPU overhead on the router if it has to send every inbound packet
> to two destinations. Perhaps if you don't need full packet for logging
> or analysis, the proxy code on the router could pass on just the packet
> headers.
>
> Or maybe the warning was overstated. On the next page of the thread a
> user reports being able to successfully run Snort on an RT-N16, but they
> didn't report whether they ever got custom rules working.
>
> ?-Tom

I agree with all these points Tom.

In my experience most consumer routers barely have enough cpu power to
get out of their own way.  And only have 16mb of ram, 32mb if you're
lucky.  With a small rule set and running the lowmem option I suppose
it should work.  But I'd love to see a speedtest.net with and without
snort to see what sort of impact it has on performance.

At home I'm currently running snort on an embedded Alix (800MHz AMD
Geode cpu) w/ 256mb of ram on pfSense.  It seems to run on this
reasonably well on it but you still have to be careful as to what rule
sets you enable and which Memory Performance option you use.

You can pick up an Alix kit off ebay for $135 or so.
http://www.ebay.com/itm/PC-Engines-Alix-2D2-Full-Kit/280786538520
That's the person I got mine from a year or so ago.  I've since had to
replace the CF as I started getting some errors on the one I got with
the kit.
--
David



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org