Re: How to reduce the binary size of snort?

[Nigel Houghton <nhoughton () sourcefire com>]

On Mon, Jun 8, 2009 at 6:40 PM, Randal T. Rioux<randy () procyonlabs com> wrote:
> Leon Ward wrote:
> > What's your device?
>
> Don't top-post. See rest of comment(s) below.
>
> > On Mon, Jun 8, 2009 at 6:23 AM, S U B A <jv.suri () gmail com
> > <mailto:jv.suri () gmail com>> wrote:
> >
> >     Hi ,
> >           I`m trying to fit snort in our device and we have some space
> >     constrains with this. Thats why I wanted to know why the current
> >     snort size is very large, previously i used snort_inline 2.6 version
> >     which of size 1.7 Mb. I wanted to know why the current version is so
> >     huge when compared to older versions.
> >
> >     Thanks and Regards,
> >     Suresh Babu
> >
> >     On Fri, Jun 5, 2009 at 3:22 PM, Nigel Houghton
> >     <nhoughton () sourcefire com <mailto:nhoughton () sourcefire com>> wrote:
> >
> >         On Fri, Jun 5, 2009 at 7:39 AM, S U B A<jv.suri () gmail com
> >         <mailto:jv.suri () gmail com>> wrote:
> >         > Hello All,
> >         >              Currently snort binary size after compilation is
> >         8652 Kb (FC9
> >         > and 2.6.25.11 kernel), after stripping it is 6488 Kb. How to
> >         reduce the size
> >         > of the snort binary?
> >         > The parser.c is of 268 Kb and why the parser.o is of size 5824
> >         Kb?? I think
> >         > because of this parser.o the snort binary size is very large.
> >         > Can anyone give some suggestions on how to reduce the size of
> >         snort binary?
> >
> >         Why do you want to do this? Why do you believe it is too large? What
> >         is it that you, who is "new to snort", are trying to do?
>
> The most annoying thing in the world to me is when people answer "how
> to" questions with "why" answers. If you don't know the answer, then
> don't spam the list. Most of us choose this field because of the
> creativity it allows us to engage in, not to find out how many ways we
> can avoid a challenge.
>
> That being said, look through the CVS logs to see when massive changes
> may have occurred, like for parser.c:
>
> http://cvs.snort.org/viewcvs.cgi/snort/src/parser.c
>
> I don't have the time right now to dig through it, but hopefully this
> can help a little bit.
>
> And remember, if someone wants to try and run Snort on a toaster, don't
> ask why... ask how you can help!

I ask because if there is a particular device that Snort is going to
run on, it might help to know that fact. Indeed, someone may have
already accomplished the task of running Snort on that particular
device. The question may have originally been "How can I reduce the
snort binary size so that I can run it on my Soekris box and still
maintain functionality?" In which case, a specific question like that
may be easier to answer. If the reason for running Snort on a
particular device is ascertained, it may be that there is a better
solution, how can we know if we do not have this information?

Without good questions, there can be no good answers. Vague questions
lead to vague answers, much like yours.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users