I’d like to snort. Should I?

I’m just today reading about an OpenWrt package “snort.” Looks very interesting. I’m thinking the Raspberry Pi4 has the CPU power to install this. Any tips, tricks, or warnings from the more experienced members of the forum?

Just planning on using it where the Ethernet port is connected to the wan and the wireless/wifi is connected to the lan.

Seems like it would work fine.

1 Like

RPi4B and even 5B can only handle around 100 Mbps.

If your connection is that speed go for it or if you’re ok limiting the max download. You really need x86 for faster.

It surely is interesting, but as @darksky points out, there is a penalty to pay in terms of the bandwidth (or the processing/electrical power) required to run something like Snort.

Your title has "Should I" -- to which I'd ask, "why would you" and "what is the reason" -- I ask this in a positive way, but basically to say that unless you have a use for the data and IDS/IPS functionality that it provides, it's not necessarily useful. You could make the argument that everyone can benefit from IDS/IPS features, but it really depends on the threat vectors that concern you. Also relevant is the value that you (or your organization) present to potential attackers -- if you're high value and have highly sensitive information, this could be very important as you may be actively targeted by hacking attempts... otherwise, maybe it's not worth the extra overhead.

1 Like

I’d like to snort. Should I?

I see what you did there. :rofl:

I have 1Gbps internet at old home, with a VM guest (2 core assigned from a Ryzen V1500B), turning SNORT/Suricata ON will make it like 300Mbps speed only. And I believe my VM should be a lot faster than your Pi4B. So yes if your connection is something like 100Mbps otherwise time to buy a new machine, like the one with Ryzen 5825U.

1 Like

Or:
Seems like a Threadripper Pro 5000WX might be good for, at least, a couple extra years if you decide to go for 2.5gb/s.

And if you live in Iceland, win, win.

Probably don't need, I know someone in my home country doing IPS/IDS on his 1Gbps line with the China made Ryzen 5825U (8C16T is doing pretty good here) mini PC which works well, but the price is 10x of Pi4B (not including RAM/SSD)

I was looking into SPI on a Pi4 and SNORT yesterday.
SPI wanted extra hardware (is that right?) and I was still researching SNORT earlier today, so this thread is JiT.

I don't know, it looks like it might be up to task for at least 5 years. Might even handle SAMBA too.

You got me thinking so I tried to find some benchmarks that are used on both the Pi4 and x/86 CPUs and 15 minutes later I gave up / they don't exist.

But I looked up the V1500B: 4 cores, 8 threads 2.2GHz max, no turbo mode beyond that. 2017-2020

You dedicated 2 cores in a VM; Pi has 4 @1.8 if not overclocked. (any Pi4 made after 2021 and a current bootloader runs stock @1.8) OC'ed to 2.1Ghz with almost no more effort than a decent heatsink.

So, I would expect more than 100Mbps even with SQM.
And @KSofen likes to experiment; so I'm interested in what they can pull off.

But the Ryzen has much higher computing power per Mhz than the Pi and that is the deciding factor for Snort 3. And Sqm has no influence on the performance of Snort when the maximum throughput is reached because the Cpu can't handle any more. You can push the limit a little further by using the Hypherscan version of Snort and activating the Hypherscan search engine, but this costs a little more RAM and miracles are not to be expected.

I just was thinking about it, not trying to challenge you.

I am very curious what results @KSofen gets though. Every time I read someone with a multi-core system say "my CPU is maxed out at 100%", I imagine they are looking at LuCi's status page and think 1.0 is 100%.

Well, I don't know about that; we survived the eclipse... :rofl:

1 Like

Even 1.0 can be 100% of a core, i.e. Cpu limit. As I said, the Pi is simply too weak for this, especially since you can't use a hypherscan there because it's only available for x86 cpus. Another thing that could help is to reduce the number of Nfq queues to 3 and pin snort to the last 3 cores with highest priority. This prevents the scheduler from driving core 0 to the limit because it tries to distribute the load of snort to all cores.

I added LuCI-Stats because I wanted stats on each core. It sucks but it does visually show different cores and CPU0 is the busiest even with balancing.

Well, you said it was too weak for 1Gbps. Since I only get ~120 (100 advertised) worst thing that would happen is it maxes out.
But I'm going to wait for @KSofen's results.

I just got my new industrial grade sd card (has its own controller for wear leveling and a lot more features so I don't need the OS to monitor health) and I'm going to move to .05 in the next couple days, so now is the time to experiment.

I have not studied it yet but I'll keep that in mind.
I'm still trying to decipher SPI in OpenWRT and I'm stuck on what hardware I'm supposed to integrate.

Well, if you have a 1 Gb line and only 120 Mbit arrive because of Snort, that's lousy or :wink: Yes, let off steam. I'm also thinking about writing a tutorial with my method to include Snort as an ips with nfq, but the fact that I don't speak English very well and therefore depend on translators keeps me from doing so.

SNORT v3 can use hyperscan which uses x86 SIMD instructions to produce about 3x-4x speed, from what I know Raspberry Pi can use NEON SIMD to simulate this, however you need to recompile almost everything (which is not available natively in all RPi supported OS), and even with that the speed is not comparable with x86 platform. Also from what I know even you try to do this on Apple Silicon the performance won't be good as well.

Thanks for all the feedback. One more bit of information to throw into the mix. My home Internet speed (claimed by ISP) is 500mbps. Using the Raspberry Pi4 as a router connected directly to the internet (wan) and using the built-in radio as wireless (lan) in AC/5 Ghz mode the most speed I get through wireless in optimal conditions is 80-100mbps. That's 10 feet from the wifi source. Obviously, the Rp4 has limitations under the best conditions. Is snort going to slow that down even more? Or is it already so slow that snort can do it's job in the background and not affect operations?

No, SNORT is not going to bottleneck it; it cannot get worse.

But I get over 100mb/s using the built in 5Ghz transferring files ethernet to Wi-Fi.
Try opening the width to 40.

The width is at 80 already. The associated stations readout says it’s connected at 300+mbps, but Speedtest varies between 80-100mbps.

Maybe back it down?

All I know is that differs from my results.
If I disable SQM, I get >100mb/s down.

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option channel 'auto'
option band '5g'
option cell_density '0'
option country 'US'
option txpower '6'
option htmode 'VHT20'

config wifi-device 'radio1'
option type 'mac80211'
option path 'scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/1-1.2/1-1.2.4/1-1.2.4:1.0'
option channel '1'
option band '2g'
option country 'US'
option cell_density '0'
option txpower '1'
option htmode 'HT20'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Pi2'
option encryption 'psk2+ccmp'
option key ''
option wpa_disable_eapol_key_retries '1'
list maclist ''
list maclist ''
list maclist ''
list maclist ''
list maclist ''
list maclist ''
list maclist ''
list maclist ''
list maclist '
option ieee80211w '1'

config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'Pi3'
option encryption 'psk2+ccmp'
option key ''
option network 'lan'
option wpa_disable_eapol_key_retries '1'
option ieee80211w '1'

config wifi-device 'radio2'
option type 'mac80211'
option path 'scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/1-1.3/1-1.3:1.0'
option channel 'auto'
option band '5g'
option htmode 'VHT20'
option cell_density '0'
option country 'US'
option txpower '3'
option disabled '1'

config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'Pi5'
option encryption 'sae'
option key ''
option disabled '1'

config wifi-iface 'wifinet4'
option device 'radio2'
option mode 'ap'
option ssid 'Pi6'
option encryption 'sae'
option key 'i'
option network 'lan'
option ieee80211w '1'
option disabled '1'

Crap!!!!

Needs a new PW now... :angry: