Snort mailing list archives
Re: What does lightweight mean?
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 30 May 2001 15:03:00 -0400
"Anderson, Bill" wrote:
I have been considering Snort as an IDS for our organization, but several people have tried to steer me away because Snort is described as 'lightweight.' What does the term lightweight mean or imply? Does it mean it can only handle light network traffic streams, or does it mean it is light in terms of needed resources? Or is it something else entirely? Any thoughts are welcome.
Lightweight is an old term and a misnomer these days unless you understand the spirit in which it was written. Back in the dark ages (early 1999) Snort was still fairly primitive and very small. "Lightweight" referred to limited functionality in the detection capabilities and it also referred to system footprint. You could comfortably run Snort on servers with critical apps running and it wouldn't impact performance or memory utilization noticably. As time progressed we reengineered the primary functional subsystems of Snort and optimized them for flexibility and performance. The reengineering effort was fully realized with Snort 1.5 in December of 1999. Version 1.5 included a new packet decoding subsystem, a new detection engine, and the preprocessor modular interface. These subsystem's speed and capabilities put Snort on the same footing with commercial NIDS of the day, giving Snort the ability to perform the the tasks that you would find in sensors costing tens of thousands of dollars. At the same time Snort's dynamic architecture allowed us to keep the system footprint minimal and so we kept the "lightweight" name around. That's where the name comes from and why it's still called the lightweight network intrusion detection system. Anyone who would say that Snort's functional capabilities as inferior to commercial systems on the market today either doesn't know what they're talking about or is trying to sell you something. Snort is 2.5 years old. Any documentation you might read that was written before December 1999 is extremely out of date (including the "lisapaper").
Also, I am currently running snort in the tcpdump file read mode, reading the files that our Shadow IDS created. Shadow only records the first 68 bytes of each packet in the tcpdump log file. Is this enough packet data for the Snort rules? Or will Snort work better with more or the entire packet?
You can miss a lot with 68-byte packets, Snort will work best with the full packets. You can setup Snort as your SHADOW sensor component since it can take the same BPF filters and produce the same pcap formatted output files as well. Snort gives you the added capability to do real-time alerting and payload analysis, plus IP defragmentation and TCP stream reassembly which tcpdump is unable to do. 2 100Mbps Intel Etherexpress 100Pro Ethernet Interfaces -Marty -- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What does lightweight mean? Anderson, Bill (May 30)
- Re: What does lightweight mean? Martin Roesch (May 30)
- Re: What does lightweight mean? Martin Roesch (May 30)
- Snort vs TCPdump Jean sébastien Op de Beeck (May 30)
- Re: Snort vs TCPdump Denis Ducamp (May 30)
- Re: Snort vs TCPdump Fyodor (Jun 02)
- Re: What does lightweight mean? Martin Roesch (May 30)
- Re: What does lightweight mean? Martin Roesch (May 30)
- Re: What does lightweight mean? Chris Green (May 30)
- Re: What does lightweight mean? Talisker (May 31)
- <Possible follow-ups>
- RE: What does lightweight mean? Steve Halligan (May 30)