Snort server security, CPU resources needed by snort: A few information on CPU and RAM usage for snort server security

Server security always consumes server resources, CPU load and RAM usage. However the additional benefits are well word the extra resources consumed by snort. On shared hosting, such server security would be impossible simply for the reason that normal shared hosting accommodates as many sites as possible for the tiny amount they charge you. Hence with greatest profit in mind, there is nothing left for your site security features.

True site security / server security requires a dedicated server !

Security on servers is just like security in a political environment - expensive. ON my previous server I never would have had the CPU and Memory resources to accommodate all the security features I run now on my new server setup.

If server security needs to be efficient and create real peace of mind, then you need to run the best and use all hard core features. Snort is the choice and a large number of rules, including self made or adapted rules for your individual server environment and software you run is needed. The question is how much additional resources you need to run snort and possibly snort in combination with mod_security and other security modules. All together needs to run on high end servers, else your overall consumer friendliness suffers. Page load needs to be as fast as possible.

Server security however also is auto-paying, self-paying means - snort and other server security features consume CPU resources and use memory BUT at the same time tight security also keeps lots of spammers, hackers and fake bots and auto-traffic / non-human traffic OUT of your server. Hence real serious server security if configured properly uses an amount of resources and saves a comparable amount of resources. Resulting in a overall server resource load similar than before - but more secure and more peace of mind. Hence that means that from server resource point of of view site security is free with additional gain in security and thus also stability of server.

Currently I have medium traffic on my server. 500'000 to 700'000 hits / file requests per day, rush hours are over until tomorrow Monday. The Average additional server load by snort is negligible. Peak load cause by snort during seconds or fractions of secons are:

On a dual x86_64 server using 4GB RAM

• peak CPU by snort for shortest seconds or fractions of seconds: 18%
• peak Memory ( RAM ) usage for shortest bursts of time: 26%
• average CPU usage by snort most of the time: 1%
• average Memory usage by snort most of the time 6%

Average resource consumption by snort

Average CPU / RAM resource usage by snort

Server overload when snort rules are causing wrong positives

To avoid wrongful server abuse b y snort, you really have to watch your logs for a while and investigate every snort alert, snort log entry. Many / most of these alerts and log entries can be completely avoided by adapting / optimizing snort rules to your server configuration. Logging consumes resources and slows page load by your human visitors. Hence avoid logging of fake alerts. Reduce any wrong alert by correcting / optimizing the existing rules to avoid all wrong alerts created by your own server configuration!

When running ALL available snort rules, including all community rules, your snort log will grow like a mushroom. May be 90%-98% are wrong alerts by configuration error. Wrong alerts = obsolete logging disguises real alerts. If you have hundred lines of wrong alerts and one single real abuse by hackers or malicious scripts, chances are that you may oversee the one logged entry that really matters!

Your rules need to be as tight as possible, but fake alerts need to be avoided completely whenever possible. Over time you learn howto accomplish the latter. Fortunately for you, snort log entries are all self explaining with rule name and line number that creates an alert / log entry. Hence look at that rule and make corrections as needed. Maintain server security but remove rules causing fake alerts. Or create rules that exempt your own server from causing alerts where safe for your server. Learn to understand and know the rules and learn to know what you do before you do anything at all that might jeopardize your server security.

Snort is working - verify snort reports and snort stats

During the writing of this post I did a few sort start stop, and have a brief period of data for you to show how many packets went thru and how many malicious packets have been dropped during this 28 Minutes shown in below snort report. Snort give a full and detailed report far greater than below. To call a full report, just type:

rcsnortd stats

in your shell and view the output in your shell - or also as logged in your syslog /var/log/messages in openSUSE.

28 minutes of snort work

28 minutes of snort work

As you see, snort dropped some 9855 packages = 2,9%. Usually my average is more around 1%. Yet the point is that there are 1 or more percent of malicious packages traveling across the web into your site / server. Most site owners have NO idea and belief all is fine, just because they never took the time to verify real life traffic. All servers may be in a similar range of hacker attacks and malicious traffic. Most site owners lack time, knowledge, funds to finance server security or even worst lack interest and care for global security.

Good luck in your efforts to make the Internet and this world a safer place for all.

Love and Bliss

hans