RE: What does lightweight mean?

[Steve Halligan <agent33 () geeksquad com>]

> I have been considering Snort as an IDS for our organization, 
> but several
> people have tried to steer me away because Snort is described as
> 'lightweight.' What does the term lightweight mean or imply? 
> Does it mean it
> can only handle light network traffic streams, or does it 
> mean it is light
> in terms of needed resources? Or is it something else 
> entirely? Any thoughts
> are welcome.

Lightweight= light in terms of needed resources.  There are many VERY high
traffic networks using Snort.  Tier one ISP's, big .edu's, some .gov's.

> Also, I am currently running snort in the tcpdump file read 
> mode, reading
> the files that our Shadow IDS created. Shadow only records 
> the first 68
> bytes of each packet in the tcpdump log file. Is this enough 
> packet data for
> the Snort rules? Or will Snort work better with more or the 
> entire packet?

The entire packet.  Most important stuff will be in the first 68 bytes, but
you are going to miss some stuff in payload content matching.

-Steve

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users