Re: What does lightweight mean?

[Martin Roesch <roesch () sourcefire com>]

"Anderson, Bill" wrote:
> I have been considering Snort as an IDS for our organization, but several
> people have tried to steer me away because Snort is described as
> 'lightweight.' What does the term lightweight mean or imply? Does it mean it
> can only handle light network traffic streams, or does it mean it is light
> in terms of needed resources? Or is it something else entirely? Any thoughts
> are welcome.

Lightweight is an old term and a misnomer these days unless you
understand the spirit in which it was written.  Back in the dark ages
(early 1999) Snort was still fairly primitive and very small. 
"Lightweight" referred to limited functionality in the detection
capabilities and it also referred to system footprint.  You could
comfortably run Snort on servers with critical apps running and it
wouldn't impact performance or memory utilization noticably.  As time
progressed we reengineered the primary functional subsystems of Snort
and optimized them for flexibility and performance.  The reengineering
effort was fully realized with Snort 1.5 in December of 1999.  Version
1.5 included a new packet decoding subsystem, a new detection engine,
and the preprocessor modular interface.  These subsystem's speed and
capabilities put Snort on the same footing with commercial NIDS of the
day, giving Snort the ability to perform the the tasks that you would
find in sensors costing tens of thousands of dollars.  At the same time
Snort's dynamic architecture allowed us to keep the system footprint
minimal and so we kept the "lightweight" name around.

That's where the name comes from and why it's still called the
lightweight network intrusion detection system.  Anyone who would say
that Snort's functional capabilities as inferior to commercial systems
on the market today either doesn't know what they're talking about or is
trying to sell you something.

Snort is 2.5 years old.  Any documentation you might read that was
written before December 1999 is extremely out of date (including the
"lisapaper").  

> Also, I am currently running snort in the tcpdump file read mode, reading
> the files that our Shadow IDS created. Shadow only records the first 68
> bytes of each packet in the tcpdump log file. Is this enough packet data for
> the Snort rules? Or will Snort work better with more or the entire packet?

You can miss a lot with 68-byte packets, Snort will work best with the
full packets.  You can setup Snort as your SHADOW sensor component since
it can take the same BPF filters and produce the same pcap formatted
output files as well.  Snort gives you the added capability to do
real-time alerting and payload analysis, plus IP defragmentation and TCP
stream reassembly which tcpdump is unable to do.  2 100Mbps Intel
Etherexpress 100Pro Ethernet Interfaces

     -Marty


--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users