Re: Snort on a 486 ?

[Bennett Todd <bet () rahul net>]

2003-01-15T02:51:45 Hilton De Meillon:
> will snort be able to run on a 486?

I'd expect so.

> Will it be fast enough to monitor a 128k line?

Mostly, probably. I'd expect two possible issues.

First, there's memory footprint. With 1.9.0 and little tuning in the
sigs, I routinely see >>16MB VM and a working set over 5MB; with
lots of traffic and spp_portscan2 enabled, it's not uncommon to see
that memory footprint climb over 64MB.

Olde 486-vintage machines are often found with 4-8MB of RAM. That's
liable to make you unhappy. A thrashing snort probably won't work at
all.

If you can get the 486 box up to 16MB of RAM, and if you disable
portscan2 and conversation, and you don't run much else that eats
RAM on this box, that should address that issue.

The second half of the problem is logging. In many, perhaps most
settings, snort is very noisy until and unless you tune the
signatures. You'll want to do the most efficient logging possible,
and you'll want to tune the signatures so snort is mostly quiet. If
it's logging all the time, then the 486-vintage-machine's
impressively slow hard disk will become an issue.

It can be done, with care, but is it worth it? You ought to be able
to get something substantially newer for $50 off eBay, I'd expect.

-Bennett

Attachment: _bin
Description: