[Snort-users] What does lightweight mean?

Chris Green cmg at ...671...
Wed May 30 15:46:58 EDT 2001

"Anderson, Bill" <wander01 at ...2144...> writes:

> I have been considering Snort as an IDS for our organization, but several
> people have tried to steer me away because Snort is described as
> 'lightweight.' What does the term lightweight mean or imply? Does it mean it
> can only handle light network traffic streams, or does it mean it is light
> in terms of needed resources? Or is it something else entirely? Any thoughts
> are welcome.

They are probably meaning "lightweight", as in not up to the task.  As
you are talking to the snort list, I'm sure you can guess the opinion
here.  Many things have limitations and it's best to understand all
the tradeoffs by knowing how they work.

> Also, I am currently running snort in the tcpdump file read mode, reading
> the files that our Shadow IDS created. Shadow only records the first 68
> bytes of each packet in the tcpdump log file. Is this enough packet data for
> the Snort rules? Or will Snort work better with more or the entire packet?

Entire packets. ;)
Chris Green <cmg at ...671...>
Fame may be fleeting but obscurity is forever.

More information about the Snort-users mailing list