[Snort-users] Snort and Firewalls

Dragos Ruiu dr at ...50...
Sun Oct 15 22:01:12 EDT 2000


On Sun, 15 Oct 2000, you wrote:
> I have never heard of anyone running snort on their firewall itself...
> Is there a reason for this besides fear of performance hits on the firewall?
> This is what I do on my network... I have my gateway setup using iptables
> for
> my firewall and I have snort(with the Acid frontend) listening on my inside
> interface... This way I can
> have one sensor that sees all the traffic that gets though the firewall
> (which is what I am worried about mostly anyway) Is there something
> bad/wrong about doing this I should know?

I have run snort on NAT/masqerade Linux and Trinux firewall boxes for some 
time. With a 300-400 Mhz CPU and up and typical cablemodem/ADSL/T1 systems 
you'll never notice anything more than about 10-20ms extra latency, i.e. any
performance bottlenecks (even with only 32 Mb of RAM!) with a moderate ruleset
should be almost negligible for that level of traffic.  Perfomance does seem to
slow down noticeably when you start going to 233 and below CPUs, there
is a bit of aformance "knee" there I've noticed.  YMMV of course...  --dr




More information about the Snort-users mailing list