Snort mailing list archives

Re: Snort on a 486 ?

From: Saad Kadhi <saad () docisland org>
Date: Wed, 15 Jan 2003 19:36:39 +0100

On Wed, Jan 15, 2003 at 09:44:07AM -0500, Bennett Todd wrote:

2003-01-15T02:51:45 Hilton De Meillon:

will snort be able to run on a 486?


I'd expect so.

Will it be fast enough to monitor a 128k line?


Mostly, probably. I'd expect two possible issues.

First, there's memory footprint. With 1.9.0 and little tuning in the
sigs, I routinely see >>16MB VM and a working set over 5MB; with
lots of traffic and spp_portscan2 enabled, it's not uncommon to see
that memory footprint climb over 64MB.

Olde 486-vintage machines are often found with 4-8MB of RAM. That's
liable to make you unhappy. A thrashing snort probably won't work at
all.

If you can get the 486 box up to 16MB of RAM, and if you disable
portscan2 and conversation, and you don't run much else that eats
RAM on this box, that should address that issue.

just fyi, the last time I tried to load an openbsd on  a  486  box  (was
then a 2.9), I had a hell  of  a  time  getting  to  install  with  16MB
(MAKEDEV all was the culprit) and even afterwards, it was  *hum*  rather
slooooow (custom kernel, every bit of unneeded stuff left out).

maybe it is possible to install an old distro  of  a  linux/*bsd  distro
that will be happy with 16MB of RAM.

It can be done, with care, but is it worth it? You ought to be able
to get something substantially newer for $50 off eBay, I'd expect.

agreed. get newer hardware. it won't cost you much and it will save  you
sweat :).

but what you are attempting to do sound like a good "snort  benchmarking
and tuning" project.

cheers.
-- 
Saad Kadhi -- [saad () docisland org] [saad.kadhi () hapsis fr]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D]
---


-------------------------------------------------------
This SF.NET email is sponsored by: A Thawte Code Signing Certificate 
is essential in establishing user confidence by providing assurance of 
authenticity and code integrity. Download our Free Code Signing guide:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort on a 486 ? Hilton De Meillon (Jan 15)
- Re: Snort on a 486 ? Erek Adams (Jan 15)
- Re: Snort on a 486 ? Bennett Todd (Jan 15)
  - Re: Snort on a 486 ? Saad Kadhi (Jan 15)
- <Possible follow-ups>
- RE: Snort on a 486 ? Hicks, John (Jan 15)