Snort mailing list archives
Re: Snort on a 486 ?
From: Bennett Todd <bet () rahul net>
Date: Wed, 15 Jan 2003 09:44:07 -0500
2003-01-15T02:51:45 Hilton De Meillon:
will snort be able to run on a 486?
I'd expect so.
Will it be fast enough to monitor a 128k line?
Mostly, probably. I'd expect two possible issues. First, there's memory footprint. With 1.9.0 and little tuning in the sigs, I routinely see >>16MB VM and a working set over 5MB; with lots of traffic and spp_portscan2 enabled, it's not uncommon to see that memory footprint climb over 64MB. Olde 486-vintage machines are often found with 4-8MB of RAM. That's liable to make you unhappy. A thrashing snort probably won't work at all. If you can get the 486 box up to 16MB of RAM, and if you disable portscan2 and conversation, and you don't run much else that eats RAM on this box, that should address that issue. The second half of the problem is logging. In many, perhaps most settings, snort is very noisy until and unless you tune the signatures. You'll want to do the most efficient logging possible, and you'll want to tune the signatures so snort is mostly quiet. If it's logging all the time, then the 486-vintage-machine's impressively slow hard disk will become an issue. It can be done, with care, but is it worth it? You ought to be able to get something substantially newer for $50 off eBay, I'd expect. -Bennett
Attachment:
_bin
Description:
Current thread:
- Snort on a 486 ? Hilton De Meillon (Jan 15)
- Re: Snort on a 486 ? Erek Adams (Jan 15)
- Re: Snort on a 486 ? Bennett Todd (Jan 15)
- Re: Snort on a 486 ? Saad Kadhi (Jan 15)
- <Possible follow-ups>
- RE: Snort on a 486 ? Hicks, John (Jan 15)