[Snort-users] What does lightweight mean?

Steve Halligan agent33 at ...187...
Wed May 30 15:14:24 EDT 2001

> I have been considering Snort as an IDS for our organization, 
> but several
> people have tried to steer me away because Snort is described as
> 'lightweight.' What does the term lightweight mean or imply? 
> Does it mean it
> can only handle light network traffic streams, or does it 
> mean it is light
> in terms of needed resources? Or is it something else 
> entirely? Any thoughts
> are welcome.

Lightweight= light in terms of needed resources.  There are many VERY high
traffic networks using Snort.  Tier one ISP's, big .edu's, some .gov's.

> Also, I am currently running snort in the tcpdump file read 
> mode, reading
> the files that our Shadow IDS created. Shadow only records 
> the first 68
> bytes of each packet in the tcpdump log file. Is this enough 
> packet data for
> the Snort rules? Or will Snort work better with more or the 
> entire packet?

The entire packet.  Most important stuff will be in the first 68 bytes, but
you are going to miss some stuff in payload content matching.


More information about the Snort-users mailing list