BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] running Snort on a consumer-grade router

Subject: [Discuss] running Snort on a consumer-grade router
From: tmetro-blu at vl.com (Tom Metro)
Date: Thu, 19 Jan 2012 17:25:20 -0500
In-reply-to: <CAFo7OGqK-iwMwfoJjP7VzNk5YkV4=sjixgW5A=XetFKanGTvMw@mail.gmail.com>
References: <4F1680D7.1060900@vl.com> <CAFo7OGqK-iwMwfoJjP7VzNk5YkV4=sjixgW5A=XetFKanGTvMw@mail.gmail.com>

David Miller wrote:
> In my experience most consumer routers barely have enough cpu power to
> get out of their own way.

As mentioned elsewhere, the Asus RT-N16 is a newer class of router with
beefier hardware than your typical WRT54G-era box. 128 MB of RAM and a
480 MHz CPU:
http://infodepot.wikia.com/wiki/Asus_RT-N16

And that's the hardware I'd be using. (This model was released in mid
2009, and even today there are only a handful of routers in the same
price class with a faster CPU, and of those almost none have as much RAM.)

> I'd love to see a speedtest.net with and without
> snort to see what sort of impact it has on performance.

Yes, that would be a good comparison to make.

> At home I'm currently running snort on an embedded Alix (800MHz AMD
> Geode cpu) w/ 256mb of ram on pfSense. 

I'm familiar with the Alix boards, have written about them here before,
and considered them. At the time they were selling in the ~$150 range
after you added a power supply and enclosure. The specs are hard to beat
for that price.

I had interest in FreeBSD/pfSense due to its ability to run in a fail
over configuration on redundant hardware. I believe they've since hacked
up an equivalent solution for Linux/iptables.

I'm hoping we'll see some of the consumer routers switch to ARM CPUs,
and less proprietary switch hardware, which should hopefully permit
FreeBSD to run on them. I suspect we will see 800 MHz+/128 MB+ consumer
routers in the $100 range in 2012. (There are already non-router
consumer products with these specs, like http://www.tonidoplug.com/, but
they lack built-in switches. In theory, you could pair it up with a $50
5-port switch that does VLAN tagging[1].)

1. http://www.newegg.com/Product/Product.aspx?Item=N82E16833122342
(This does port mirroring too. Perhaps the same low cost switch someone
mentioned at the talk.)

> It seems to run on this reasonably well on it but you still have to
> be careful as to what rule sets you enable and which Memory
> Performance option you use.

Good to know. Thanks.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

Follow-Ups:
- [Discuss] running Snort on a consumer-grade router
  - From: omegahalo at gmail.com (Chris O'Connell)

References:
- [Discuss] running Snort on a consumer-grade router
  - From: tmetro-blu at vl.com (Tom Metro)
- [Discuss] running Snort on a consumer-grade router
  - From: david3d at gmail.com (David Miller)

Prev by Date: [Discuss] running Snort on a consumer-grade router
Next by Date: [Discuss] Visualizing LAN traffic
Previous by thread: [Discuss] running Snort on a consumer-grade router
Next by thread: [Discuss] running Snort on a consumer-grade router
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org