[Snort-users] What does lightweight mean?

Steve Halligan agent33 at ...187...
Wed May 30 15:14:24 EDT 2001


> I have been considering Snort as an IDS for our organization, 
> but several
> people have tried to steer me away because Snort is described as
> 'lightweight.' What does the term lightweight mean or imply? 
> Does it mean it
> can only handle light network traffic streams, or does it 
> mean it is light
> in terms of needed resources? Or is it something else 
> entirely? Any thoughts
> are welcome.

Lightweight= light in terms of needed resources.  There are many VERY high
traffic networks using Snort.  Tier one ISP's, big .edu's, some .gov's.

> 
> Also, I am currently running snort in the tcpdump file read 
> mode, reading
> the files that our Shadow IDS created. Shadow only records 
> the first 68
> bytes of each packet in the tcpdump log file. Is this enough 
> packet data for
> the Snort rules? Or will Snort work better with more or the 
> entire packet?

The entire packet.  Most important stuff will be in the first 68 bytes, but
you are going to miss some stuff in payload content matching.

-Steve




More information about the Snort-users mailing list