Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] running Snort on a consumer-grade router



Anyone tried running Snort on a consumer-grade router?

I was curious if it could be installed on a router running Tomato
firmware, and ran across this:

http://tomatousb.org/forum/t-305093/snort-and-dansguardian-on-tomatousb

  ...you must first install Optware...
  Then you can install Snort and Dansguardian

Optware (a debian-like package management system) was expected, but I
hadn't heard of DansGuardian[1], which is a "web content filter."
Something I have no interest in, and I'm assuming just an optional,
related tool mentioned because the OP asked about it.

1. http://dansguardian.org/?page=whatisdg

More importantly another post in the same thread says:

  Snort, on the other hand, is FAR too memory-hungry for use on a router
  unless you go with a pitifully reduced ruleset. It barely fit on an
  otherwise-empty RT-N16 with reasonable rules defined.

As I understand it, Snort relies on libpcap to inspect the packets
flowing through the router. I wonder if there are any mechanisms for
running libpcap on the router as usual, but running the more memory
intensive packet analysis on a full server inside the LAN. This should
constrain the memory footprint, though I could see such a setup still
adding CPU overhead on the router if it has to send every inbound packet
to two destinations. Perhaps if you don't need full packet for logging
or analysis, the proxy code on the router could pass on just the packet
headers.

Or maybe the warning was overstated. On the next page of the thread a
user reports being able to successfully run Snort on an RT-N16, but they
didn't report whether they ever got custom rules working.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org