Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] running Snort on a consumer-grade router



Tom,

When you saying "running snort on such and such router" are you talking
about installing the source for snort on the router?  Or do you just mean
you want to use Snort to listen to traffic on said router by installing it
on a separate computer?

Chris


On Wed, Jan 18, 2012 at 3:20 AM, Tom Metro <tmetro-blu at vl.com> wrote:

> Anyone tried running Snort on a consumer-grade router?
>
> I was curious if it could be installed on a router running Tomato
> firmware, and ran across this:
>
> http://tomatousb.org/forum/t-305093/snort-and-dansguardian-on-tomatousb
>
>  ...you must first install Optware...
>  Then you can install Snort and Dansguardian
>
> Optware (a debian-like package management system) was expected, but I
> hadn't heard of DansGuardian[1], which is a "web content filter."
> Something I have no interest in, and I'm assuming just an optional,
> related tool mentioned because the OP asked about it.
>
> 1. http://dansguardian.org/?page=whatisdg
>
> More importantly another post in the same thread says:
>
>  Snort, on the other hand, is FAR too memory-hungry for use on a router
>  unless you go with a pitifully reduced ruleset. It barely fit on an
>  otherwise-empty RT-N16 with reasonable rules defined.
>
> As I understand it, Snort relies on libpcap to inspect the packets
> flowing through the router. I wonder if there are any mechanisms for
> running libpcap on the router as usual, but running the more memory
> intensive packet analysis on a full server inside the LAN. This should
> constrain the memory footprint, though I could see such a setup still
> adding CPU overhead on the router if it has to send every inbound packet
> to two destinations. Perhaps if you don't need full packet for logging
> or analysis, the proxy code on the router could pass on just the packet
> headers.
>
> Or maybe the warning was overstated. On the next page of the thread a
> user reports being able to successfully run Snort on an RT-N16, but they
> didn't report whether they ever got custom rules working.
>
>  -Tom
>
> --
> Tom Metro
> Venture Logic, Newton, MA, USA
> "Enterprise solutions through open source."
> Professional Profile: http://tmetro.venturelogic.com/
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
Chris O'Connell
http://outlookoutbox.blogspot.com



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org