[Soekris] A few questions

Dirk-Willem van Gulik dirkx at webweaving.org
Thu May 29 11:33:03 UTC 2003


On Thu, 29 May 2003, Jerzy Prekurat wrote:

> 4501 does not have enough memory for useful configuration of SNORT, you
> will snort very little - or you need more RAM. I cannot wait for 4801
> mostly for this reason - 256M of RAM. You do not really have to write to
> flash - you can syslog results out another interface, or save them to
> external sequel database.

I found much the same; see

	http://www.webweaving.org/kzdetect/
	http://wleiden.webweaving.org:8080/svn/node-config/kzdetect/

which is a 'lightweight' alternative to snort if you are after just
detecting and filtering something like Kazaa traffic or blocking gnutella
traffic based on port and using L3 detection. I use it to keep kazaa
and gnutella users from totally saturating the free bandwidth I make
afailable with wifi so that other passers by get at least some :-).

You'd have to hack the code to make it fit wirt your need. If full blown
IDS is what you are really after; and the reason you want to use a RO box
like a soekris is security - you can always consider 'diverting' the
traffic you want to snort on to a opaque interface on an extra box. And
not connect this box to your network through that same link; but use some
other more appropriate path to log in.

Dw




More information about the Soekris-tech mailing list