Slashdot Mirror

← Back to Stories (view on slashdot.org)

CheckPoint Acquires Snort

Posted by CmdrTaco on from the done-sniffing-each-other dept.

bobdehnhardt writes "The Snort-announce list was burning with the news that CheckPoint has signed an agreement to acquire Sourcefire, the commercial arm of the Snort community. As part of the agreement, CheckPoint will "continue to develop and distribute Snort under the GPL, improve and document the program to stay on the cutting edge and expand the snort.org web site." Here is a message from Snort creator Marty Roesch."

82 of 118 comments (clear)

  1. SnortFIRST by Anonymous Coward · · Score: 1, Interesting

    best.Tool.Ever.

    Hope this does not compromise the GPL nature of this fantasitic project.

  2. " Here is a message from Snort creator Marty Roesc by b1gk1tty · · Score: 5, Funny

    " Here is a message from Snort creator Marty Roesch."

    I'm rich I'm rich I'm filthy f*ckin rich!

  3. while snort is a fine piece of software ... by Anonymous Coward · · Score: 1, Insightful

    I think its usefulness is very limited.

    It is nice to know I am protecting/monitoring my LAN from KNOWN attacks,
    is does very little to stop a determined attacker who can write
    their own shellcode and exploits.

    Which, if you hop on IRC now days, represents quite a few attackers.
    The people we made fun of long ago have aquired the skills to get around
    snort rather easily.

    So, rest at night, thinking you have protected your lan, while in reality
    you have not.

    1. Re:while snort is a fine piece of software ... by j_kenpo · · Score: 2, Interesting

      Which is why you run Snort with full packet logging mode in addition to alert mode. This way, if an alert is missed, you can still see all packets sent in an attack and build an alert from that. Just make sure you have enough storage space.

    2. Re:while snort is a fine piece of software ... by b0r1s · · Score: 5, Informative

      It's worth mentioning that it's possible to trigger on known attack VECTORS rather than just known attacks - that is, on some vulnerabilities, all possible attacks will have a single signature at some point in the packet, which WILL be triggered. Moreover, some PROTOCOLS will always have the same signature, which may be hit as byproducts of the attack (ie: if I see an IRC packet coming from a webserver, I'm going to alert no matter what port it's on, or where it's going, because it shouldn't be there, period).

      Snort can be bypassed in many scenarios, but it's still very useful.

      --
      Mooniacs for iOS and Android
    3. Re:while snort is a fine piece of software ... by PGillingwater · · Score: 5, Informative

      Plus you might find that a shellcode exploit requires a shellcode sled, which can be detected. And many of the people who use Snort might not know that Sourcefire has made a major innovation with RNA -- a passive traffic analysis system which tells you what hosts are in your LAN, and what ports are being used -- kind of like NTOP, but with better consolidation and reporting.

      --
      Paul Gillingwater
      MBA, CISSP, CISM
    4. Re:while snort is a fine piece of software ... by kc0re · · Score: 1

      This is the way the Snort rules from the VRT are designed. To look for the Vector (the vulnerability) instead of the exploit. An exploit can be coded a hundred different ways (let's just say for arguements sake) The vulnerability (theoretically) can be had at 1 way.

    5. Re:while snort is a fine piece of software ... by energylad · · Score: 1

      It's unfortunate that Sourcefire's licensing doesn't let you model the hosts on your LAN, only as many IPs as you paid for (and it's quite dear).

      For something with only limited ability to peer into packets, limited stream reconstruction (too expensive, CPU-wise, for most platforms), and virtually no application-level protocol understanding -- not to mention zero insight into firewall evasion techniques like HTTP tunneling -- it's an extremely limited solution for something that can't even tell you write a policy about what should be allowed in the first place.

      Anything that:

      * simply accepts what your network is doing as "baseline" without any thought to security best practices,
      * doesn't give you anything more than a limited version of 2001-era layer-3 visibility into your traffic --
      * and tacks on a terrible enterprise-wide management and aggregation console and no role-based access across security zones ... isn't really worth the trouble to deploy.

      But man, aren't those 3D graphs cool? They don't mean anything, but wow.

      Patrick Dennis

      PS Reminds me of something I saw on a Navy base back in 2002. Some guys in the NOC were talking about this cool solution they'd bought, Silent Runner (long since bought by CA and vanished, like all such things).

      "It's got this awesome visualizer," the guy said. "It's a headset you put on, and there's a dedicated SGI box that gives you a stereo image of what your network's doing. It's cyberspace for real, I'm telling you. And it puts a little rotating 'skull and crossbones' over bad hosts, so you can see when a Chinese hacker is coming in at you."

      "That's really cool! I'd love to see it. Can I try it out?"

      "Aw," he said, jerking a thumb over his shoulder, "it's in the closet somewhere."

    6. Re:while snort is a fine piece of software ... by acid_zebra · · Score: 1

      Aside from the fact that Snort rules get updated very quickly when a new 'sploit is making the rounds, what's with the all-or-nothing angle?

      Snort can be a useful item in your toolkit, adding to your protection as a WHOLE.

      --
      -- No Sig is a Good Sig
    7. Re:while snort is a fine piece of software ... by MadMidnightBomber · · Score: 1

      Snort doesn't only alert on known exploit payloads, it looks for malformed data which could trigger the bugs in the first place. It also has a load of stuff for monitoring port scanning. On this University class B, it is a really invaluable tool. Which is not to say that you don't need to think about using other things to protect your network.

      Sourcefire's official slogan isn't "Snort - pulling people's arses out of the fire since 1998", but it should be.

      --
      "It doesn't cost enough, and it makes too much sense."
    8. Re:while snort is a fine piece of software ... by slash-tard · · Score: 1

      Check point already has some "smart defense" features that try to do this. Its basically crap in my opinion. I dont want random firewall drops on ports I decide to allow because the software is trying to be smart. With a lot of improvement it could be useful though.

    9. Re:while snort is a fine piece of software ... by alexandreracine · · Score: 1

      yeah, but this is a REactive mode, and not PROactive.

      --
      No sig for now.
    10. Re:while snort is a fine piece of software ... by jnf · · Score: 1

      Really? I tend to make my nop's some variation of 'HIYOUDONTKNOWWHATYOUARETALKINGABOUT' or 'AAAAAAAAAHCERTIFICATIONSMEANNOTHING' or 'ILUBYOUINTERNETS', which depending on the platform are very valid opcodes, care to explain to me how exactly you will catch that?

      Additionally, I am not the exception, its just that the security industry is full of people who haven't ever actually done much more than believe whatever metasploit told them, so they just don't know how easy it is to sidestep all of their signature detections.. Especially when it comes to shellcode detection.

    11. Re:while snort is a fine piece of software ... by pboulang · · Score: 1
      You're suggesting what, that the fight should be taken to IRC? How else can you be except reactive? You cannot anticipate all attacks, but you sure as heck can implement a "once bitten twice shy" methodology.

      Seriously, why are you complaining about watching packets to look for anomolies? What is your take?

      --

      This comment is guaranteed*

      *not guaranteed

    12. Re:while snort is a fine piece of software ... by pboulang · · Score: 1
      You don't get it, there appears to be a gap in the fossil record, because there are no bones for a 75,000 year period a million years ago. Obviously, evolution can't work, Intelligent design must be taught in schools.

      To answer your question, because these people are morons. You are obviously browsing the wrong site with that attitude of careful analysis.

      --

      This comment is guaranteed*

      *not guaranteed

    13. Re:while snort is a fine piece of software ... by kc0re · · Score: 1

      No, but we have T-Shirt that say "SNORT, saved my bacon..." -- Sourcefire Employee

  4. Loopholes by diogenesx · · Score: 2, Interesting

    Even with such language, does that stop them from forking the sources and creating a new closed source program with a new name?

    1. Re:Loopholes by Anonymous Coward · · Score: 1, Informative

      Not if they own the copyright (which I'm not sure about in this case).

    2. Re:Loopholes by monkeydo · · Score: 4, Informative

      No, it doesn't. The owner of the copyright can stop releasing new versions under the GPL. Any code already licensed under the GPL would remain so, but nothing stops them from making all new versions closed, or something in between.

      --
      Si vis pacem, para bellum
      The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
    3. Re:Loopholes by 0racle · · Score: 1

      You might want to look into something called dual-licensing. The owner of the copyright can do whatever they please with what they own.

      --
      "I use a Mac because I'm just better than you are."
    4. Re:Loopholes by FidelCatsro · · Score: 3, Informative

      Unless they accepted patches from a third party not directly involved in the project , They would need to track down each and every person that had (and acquire their blessing) or each and every code snippet and remove it .
      This is the same problem which faces the linux Kernel if they wished to move it to the GPL3

      --
      The only things certain in war are Propaganda and Death. You can never be sure which is which though
    5. Re:Loopholes by temojen · · Score: 1

      Except having to chase down every person who ever submitted code, to ask for permission.

    6. Re:Loopholes by Afecks · · Score: 1

      They aren't the owner, neither is Sourcefire, Martin Roesch is. According to the FAQ, they are buying the Sourcefire company, not his copyright.

    7. Re:Loopholes by sgml4kids · · Score: 2, Interesting

      Nor does anything stop them from directing ongoing snort development to being a "tier B" solution (intentionally degrading the effectiveness or performance of snort) relative to their proprietary "tier A" solutions. Lots of companies do this -- they sell the same product: fully enabled at a premium prices, and partially disabled at a lower price. Many companies manfuacture the generic non-brand products "competing" with their own brands (eg. drug companies). If two products compete with each other, it's a bonus if you own both of them.

      It may be a smart business move and the shareholders/owners of Checkpoint(TM) probably expect them to do whatever is necessary to maximize profits.

      Two thumbs down for this move.

    8. Re:Loopholes by Afecks · · Score: 1

      I repeat: They aren't the owner, neither is Sourcefire, Martin Roesch is. According to the FAQ, they are buying the Sourcefire company, not his copyright.

    9. Re:Loopholes by at_slashdot · · Score: 1

      "They aren't the owner, neither is Sourcefire, Martin Roesch is."

      I doubt he is the owner either. Once you GPLed your software and people added to it you no longer own the software and can't impose restrictions anymore since you'd infinge the rights of the contributors.

      --
      "It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
  5. More info from Checkpoint by Parid · · Score: 1, Redundant

    Here is some more info from checkpoint including a FAQ.
    http://www.checkpoint.com/sourcefire/

    I use both firewall-1 and sourcefire currently. The one thing I hope they /don't/ do is merge the two support teams. Sourcefire's support is decent, but checkpoints is down right awful.

    1. Re:More info from Checkpoint by monkeydo · · Score: 1

      Since when does copying a link from the article summary qualify as "more information" and get modded informative?

      --
      Si vis pacem, para bellum
      The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
    2. Re:More info from Checkpoint by krinsh · · Score: 1

      Amen to that. I'm not overly fond of FW-1 but it does its job.

      SourceFire does not *sell Snort*, rather they sell master/slave appliances for enterprise IDS and also a passive network scanner called RNA; which can be integrated with other IDS products and SIMs such as netForensics. The SourceFire NIDS is Snort based. I heard from a former coworker (and security engineer) that SourceFire was about to come out with a complete rewrite of its appliance software and more automated methods for updating signature sets; as a former security type I think that would make large installations a lot easier to handle. I hope the stuff will stay a separate product and not just get absorbed by CheckPoint.

      Does that mean the folks in Columbia, MD have to move to Israel? (just kidding)

      --
      I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.
    3. Re:More info from Checkpoint by Flower · · Score: 1

      It may be because of the discussion of support rather than the link..... More mods have been done over less content.

      --
      I don't want knowledge. I want certainty. - Law, David Bowie
  6. Checkpoint and Linux by Anonymous Coward · · Score: 1, Insightful

    Checkpoint are not known for being too interested in providing versions of their software for Linux. Lack of a current Linux checkpoint vpn client is all that's keeping me running a (gack) Windows machine in my home..

    Soooo.... is Checkpoint Snort going to go Windows-only??

    Then again, maybe this heralds a new era of cooperation between Checkpoint and the non-Windows world.

    1. Re:Checkpoint and Linux by mpathetiq · · Score: 2, Informative

      Checkpoint built their own version of Linux called SecurePlatform specifically for running their firewall, management tools, and other software. Quite often, the GUI and end user tools only ran on Windows, but the real meat-and-potatoes was usually supported on Linux.

      --
      Post-rock/Ambient/Drone and other noise.
    2. Re:Checkpoint and Linux by kotj.mf · · Score: 1
      Indeed. It's also theoretically possible to use FreeS/WAN and OpenS/WAN as a VPN client.

      Unfortunately, though, the SmartWhatever management console is Windows-only, and it doesn't really work in WINE. I suppose it'd be possible to edit the policies by hand, but the prospect of doing that is pretty frightening. Hence, the crufty old 2K box on my KVM switch.

      --
      hang brain.
    3. Re:Checkpoint and Linux by mpathetiq · · Score: 1

      'Tis true about Free/OpenS/WAN. I had to set up a few site-to-site connections between various incarnations of Firewall-1 and small Linux boxen in my prior life as a consultant.

      --
      Post-rock/Ambient/Drone and other noise.
    4. Re:Checkpoint and Linux by mseeger · · Score: 1
      Hi,

      we evaluated the SSL network extender and it worked fine with Linux. It's not a full flavored SecureClient but will suffice for most uses.

      Regards, Martin

    5. Re:Checkpoint and Linux by clymere · · Score: 1

      My solution was to run SmartDashboard within win2k in Vmware in Linux. If you sprung for Checkpoint, Vmware is peanuts. And of course there is qemu, which has worked wonderfully for me so far, although i haven't tried Checkpoint stuff in it as of yet.

      --
      once you go slack, you never go back
    6. Re:Checkpoint and Linux by kotj.mf · · Score: 1
      If you sprung for Checkpoint, Vmware is peanuts.

      Ha. I know it, and you know it, but try telling it to my boss. I just count myself lucky that I'm allowed to run anything I want on my workstation.

      Unfortunately, Win2k was pretty sketchy on qemu last time I checked, and I really didn't have the time to fuck with it, which is why I commandeered an old Windows machine.

      --
      hang brain.
  7. makes sense by spurious+cowherd · · Score: 3, Interesting
    "We believe Sourcefire has world-class solutions for internal security through their Intrusion Sensor, Real-time Network Awareness (RNA), and Defense Center product lines.

    Checkpoint needs this type of network awareness technology to keep up with Cisco
    I know they lost my company's contract because the network admins like the way Cisco stuff integrates

    I'll start by stating again what I've stated in the past, Snort is now and will continue to be free to end-users. We will continue to develop and distribute the Snort engine under the GPL, improve and document the program to stay on the cutting edge and expand the snort.org web site. The community continues, as always, to be important to us as a group of people who use the code pervasively throughout the entire Internet, report on problems and make suggestions and contributions to the project.

    This is critical to me for many reason. It's good to see. Marty is a man of integrity & I'll bet this is in the aquisition contract

    Check Point to acquire privately held Sourcefire for a total consideration of approximately $225 million.

    Who says you can't make money from FOSS?
    Marty deserves the fiduciary rewards he'll get for all his hard work over the years

    --

    Time flies like an arrow, fruit flies like a banana.

  8. Snort.org by marcantonio · · Score: 1

    Wow, it's been a while since I've been to the Snort website. It got very corporatey professional looking.

  9. Snort... hrmm by Lucractius · · Score: 1

    So CheckPoint is Snorting now is it... Do the cops now, have the DEA been called in to raid their offices.

    --
    XML - A clever joke would be here if /. didn't mangle tag brackets.
    1. Re:Snort... hrmm by Lucractius · · Score: 1

      I posted that before passing out at 3am after a long day at work, clearly its not my best work, and hm, i think saying i should properly quote the line in my sig is more polite than saying im deliberatly stealing it and its stupid.

      --
      XML - A clever joke would be here if /. didn't mangle tag brackets.
  10. Re:" Here is a message from Snort creator Marty Ro by Stephen+Samuel · · Score: 1
    I can hear this loud sniffing sound coming from.....

    (not that I'd suggest that Marty uses cocaine, just that his company is being snorted up, so to speak)

    --
    Free Software: Like love, it grows best when given away.
  11. Umm by temojen · · Score: 2, Interesting
    Since most attacks are based on known techniques, it can detect a lot of new attacks, such as anything that includes:
    (lots of nulls)

    const char * what = "/bin/sh";

    where: push what;
    push EXEC;
    call syscall;

    (some junk)
    &where
    On a whole lot of architectures, regardless of port. Which means it catches just about any stack-smashing attack that's not SSL encapsulated, regardless of service and whether it's known.
    1. Re:Umm by jnf · · Score: 1

      const char *whawhat = "//bin/../bin//sh"; push SYSCALLOPCODE jmp esp for(i = 0; i bsize/2; i+=strlen("HILOOKTHISCANBEANOPTOO")); ... xor? Etc. your premise that it can catch just about any stack-smashing attack thats not SSL encapsulated is simply foolish. Snort only catches the people stupid enough to think that they can get away with copy/pasting someone elses shellcode from the 90's.

    2. Re:Umm by jnf · · Score: 1

      (sorry i shouldve previewed ;[)
      const char *whawhat = "//bin/../bin//sh";

      push SYSCALLOPCODE
      jmp esp

      for(i = 0; i bsize/2; i+=strlen("HILOOKTHISCANBEANOPTOO")); ...

      xor?

      Etc.

      your premise that it can catch just about any stack-smashing attack thats not SSL encapsulated is simply foolish. Snort only catches the people stupid enough to think that they can get away with copy/pasting someone elses shellcode from the 90's.

    3. Re:Umm by jnf · · Score: 1

      I guess I work in a different world than you.

  12. Oh no! by wootest · · Score: 1

    Does that mean my father will have to pay for permission when he chuckles?

  13. no big deal by qwertphobia · · Score: 5, Informative

    This is no big deal. Snort will continue to be GPL and freely available to the world.

    I'm more worried about the recent Nessus changes, have you heard about this?
    Nessus License Change Announcement

    Nessus 2 will continue to be free
    Nessus 3 will be a free of charge, binary only release

    --
    Never ask for directions from a two-headed tourist! -Big Bird
    1. Re:no big deal by Kevin+Burtch · · Score: 2, Insightful


      Closed-source penetration testing software?
      I sure won't be using that version... and I love nessus!

      --
      - Preferences: Solaris 10 (servers), Ubuntu (desktops), Solaris 11 (personal servers) -
    2. Re:no big deal by m50d · · Score: 1

      They've been headed that way ever since they did that dodgy plugin licensing thing. Anyone feel like starting a community project to make the free one better?

      --
      I am trolling
    3. Re:no big deal by Flower · · Score: 1
      Would have been nice if the community had been contributing to Nessus before they closed the source. The only reason Tenable was able to accomplish this is because they wrote all the code. Their code means they can license it anyway they want. If there had been more significant contributions to the codebase outside of Tenable Nessus the latest and greatest version of Nessus would have remained GPL'd. Tenable would have had no choice and I think they would have been happy with that.

      And I'm going to be cruelly honest here. I don't think the community is going to make a better free fork. We had our chance and blew it. Like to be proven wrong but I've seen what happened with TripWire and I'm not going to hold out much hope.

      --
      I don't want knowledge. I want certainty. - Law, David Bowie
    4. Re:no big deal by puddpunk · · Score: 1

      Hahaha. They're not making money, they're giving the binaries away for free!

      Oh, and I make plenty of money of phpBB followed by a 10% donation.

    5. Re:no big deal by Cyno · · Score: 1

      I suspect Nessus will be forked soon.

      These types of changes don't worry me. Nothing has been lost except future contributions from the original contributor.

      I don't care if someone doesn't want to work on Free Software, I only care if they take steps to sabotage it, like Microsoft.

    6. Re:no big deal by Flower · · Score: 1
      You're kidding? Right? So who's going to pick up the tab to create a real lab and do full time testing for plug-ins? Or all the other QA tasks that the community has so far been unable to assist Tenable with. A fork of the codebase does nothing to get that infrastructure back.

      To say nothing has been lost is kinda naive.

      --
      I don't want knowledge. I want certainty. - Law, David Bowie
    7. Re:no big deal by Cyno · · Score: 1

      gnessus.org

      So what has been lost? Did Tenable stop testing plugins? Did they dismantle their lab? Is the sky falling?

      The relicensed their code. Now we have two options. Eventually, if YOU donate, we might have two labs testing plugins.

      But being open source I QA all my own stuff instead of relying on some community project to do it for me. I'm thankful they were nice enough to offer me bandwidth to download the source and license it so I can modify and resell it without the possibility of my changes going into a closed-source-only project. .!..

  14. You also need a benchmark of legit activity. by khasim · · Score: 4, Insightful

    Everything happening on your network should be authorized by you. If you're worried about security, then you need to get some benchmarks of the legitimate traffic on your network so you can have the system watch for different patterns.

    1. Re:You also need a benchmark of legit activity. by Tom · · Score: 1

      so you can have the system watch for different patterns.

      Like someone reading a different e-mail than yesterday? ;-)

      Sorry, half-joking there. The problem still is that for any somewhat complicated (i.e. real-life) network, there will be a huge volume of different patterns. You end up doing one of two things:

      * Spending huge amounts of time setting up the initial patterns and then updating them every time something small changes

      * Going to a level of abstraction where attacks can slip through, so you're no better than with the "look for evil bits" approach, except that you spent more time on it all.

      --
      Assorted stuff I do sometimes: Lemuria.org
  15. Re:In other news by Anonymous Coward · · Score: 1, Interesting

    Who are these companies?

    Note to non-technical people: either STFU or stay the f*** off of /. Frankly, if you don't know who CheckPoint is, half of the stuff here has to be over your head, anyway.

    Can't we have some type of "technical abilities" test, so we can adjust a post's initial score, based on the result? Of course, we'd never see AC posts, but still - it's sad that someone had to use mod points on this.

  16. Not really. by khasim · · Score: 1
    You'll see port 80 connections to your internal webservers and to external sites ... but you shouldn't see port 80 connections to other workstations. That's a flag.

    And so on with every other port. Particularly if you have a well designed network where the workstations have no need to connect to other workstations.
    Like someone reading a different e-mail than yesterday? ;-)
    Nope. More like a workstation suddenly sending, via port 25 (SMTP), to a box outside your network. That's a huge flag.

    It's very easy to do. You should already know what ports/protocols are in use on your network and what should be connecting on them to what. Start there and investigate any usage you didn't expect to see.
    1. Re:Not really. by Cally · · Score: 1
      Nope. More like a workstation suddenly sending, via port 25 (SMTP), to a box outside your network. That's a huge flag.

      Yeah, though you'd catch that on the firewall, not with an IDS. For anomaly based detection (which snort can do with 'spade'; I haven't tried it myself) you really want to be able to plug in logs from multiple sources - IDS sensors, internal and external firewall interfaces, etc etc. For most networks, you should be able to iterate over each sensor, f/w interface and other in my dream world, over all the client and server logs which would be forwarded by syslog into one hungous out-of-band management network where you process the lot and alert on anything out of the ordinary. You'll get a lot of 'false alarms' unless you want to know about the curious network newbie who one day wonders what how telnet works, or installs a p2p app or whatever. (Yes, of course your fws and IDS are doing deep packet inspection / protocol analysis and can spot people trying to tunnel p2p over port 80 - the most common case - as well as funkier stuff like ipsec via DNS packet options or somesuch madness. You'd want to automate as much as possible of the setup... hmmm, in principle it'd be possible to stich together a load of Free software, package it or sell it as a service, with a load of auto-discovery scripts or passive analysis system to spot patterns... hmmm....

      My dream is to build and run such a system, and work for world peace ;)

      --
      "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
    2. Re:Not really. by jnf · · Score: 1

      You'll see port 80 connections to your internal webservers and to external sites ... but you shouldn't see port 80 connections to other workstations. That's a flag.

      It's very easy to do. You should already know what ports/protocols are in use on your network and what should be connecting on them to what. Start there and investigate any usage you didn't expect to see.

      You must work in a very small organization where this can be said to be true, or have never actually worked in a SOC-- in which case your advice sounds logical. Take your network, add several thousand more boxes all under different clusters of administrators, give clusters of the boxes different purposes, and then re-evaluate your statement to see if it can be held to be true.

  17. My friend was acquired by a Checkpoint by DrugCheese · · Score: 4, Funny

    when he tried to cross the border with snort.

    --
    *DrugCheese rants*
  18. Re:Letter Text by kc0re · · Score: 1

    Interesting. Snort looks like a pretty cool tool. Anyone know more about it? How does it hold up against other intrusion detection packages?

    Snort is the most widely used IDS in the world today. > 2,000,000 downloads. It beats every competitor, Cisco, ISS, McAfee, 3COM. Rated #1 by SC Magazine.. etc..etc..etc..

  19. in other news... by portscan · · Score: 2, Funny

    checkpoint has had yet another security breach. this time, instead of all of their background records being released onto the internet, the source code of their newly acquired security tool, "snort" was released onto the internet. many have already downloaded this and started using free of charge, not to mention modifying it as they see fit and redistributing it also free of charge. this is a truly embarassing second offense for the security company.

  20. You just now heard of Snort??? by ripcrd · · Score: 1

    What rock have you been under? If you like to keep up on network admin tools, then you are way behind. I first heard of Snort in 2001 or 2002. Snort runs on my IPCop firewall and scans for baddies trying to get in.

    Hell, they are past version 2.4 and you are just NOW hearing about it? Holy crap!

    --
    --Somewhere there is a village missing an idiot.
    1. Re:You just now heard of Snort??? by Kiashien · · Score: 1

      heh, yea, I know, I know.

      Oh well. I know about it now.

      --
      Code. Writing. Writing Code. Writing in general. What? They aren't -that- differnet.
    2. Re:You just now heard of Snort??? by Slashcrap · · Score: 1

      Snort runs on my IPCop firewall and scans for baddies trying to get in.

      It runs on your firewall?

      Wouldn't you be better off running it inside your firewall where it is actually useful? Or does looking at huge logs of attacks bouncing off your firewall make you feel special in some way?

      You want to know about attacks that get through the firewall not all the script kiddie shit that gets blocked.

      And shall we talk about the security problems with your setup? No, let's not bother.

  21. Re:" Here is a message from Snort creator Marty Ro by Chris+Mattern · · Score: 2, Funny

    And, of course, the classic.

    "Do you like my hat? It's made of money! Would you like to stay for lunch? I think we're having MONEY!"

  22. I acquire a snort... by SnappingTurtle · · Score: 1

    ... every time I get one of these damn sinus infections, but I don't put out a damn press release about it.

    --
    I've found that my posts don't format quite right w/o a sig.
  23. Re: Fork by ImaLamer · · Score: 1

    "snort" or "snort" as a software product belongs to him, or the company regardless of the licensing scheme attached to the product with the same name.

    Who owns copyrights, trademarks, all of that garbage doesn't matter much when you are talking about GPL software. In a sense you are putting everything on the line when you release GPL software but you by no means are giving away the entire farm. The copyright is yours, we've covered this! When people contribute code then their code is © them and not you.

    What's important, the initial question, is: What will happen to the code? Can it be put into closed source software?

    Some of it could - provided that they (CheckPoint) purchased the rights to that specific code when they bought the farm. Ahem, so to speak. Sourcefire, Martin Roesch, whoever could have sold their code under their copyright's - but they can't remove it from the GPL project and can't prevent others from using it. Really, if someone helped edit a portion of the code during debugging then the developer could only sell a copy of their original submission (because they still retain their copyright; the derivative works aren't theirs because the nature of the license).

    If you wrote code for Snort then you don't have anything to worry about (in theory only) unless you signed something. We'll see what happens I guess.

    --
    Get your Unix fortune now!
  24. CheckPoint bought ZoneAlarm and screwed it up by loggia · · Score: 2

    I see nothing positive about Snort being acquired by CheckPoint.

    CheckPoint bought Zone Labs a couple of years ago and Zone Alarm went from being a rock solid firewall to an absolute mess. There are so many problems with the new version of Zone Alarm that their forums are filled with complaints.

    1. Re:CheckPoint bought ZoneAlarm and screwed it up by seudafed · · Score: 1

      I've worked at Zone Labs for 5 years. I can say that things have gotten better since being acquired by our new corporate overlord. Any problems have nothing to do with the aquisition.

  25. Maybe they did this... by raddan · · Score: 1

    ...so that they can find out what's wrong with their shitty VPN software.

  26. What happens with the rule set development? by waldonova · · Score: 2, Interesting

    I have snort running with BASE, for a nice NID management setup. Without the rules, not much will happen.
    There are currently three levels of access to rules, as seen at http://www.snort.org/rules/

    1. Anyone can get the rule set that is released with the latest version.
    2. People who pay the big bucks ($1,795/year) can get updated rule sets as soon as they are released.
    3. A third level sits in the middle; where if you register with sourcefire you can get the updated rules five days after they are released to the premium members.

    Martin, I am sure that "Check Point is very excited about continuing Sourcefire's involvement with the open source community!". I hope that doesn't mean that they are excited about getting fees for any and all rules from the open source community.

  27. Re: Fork by at_slashdot · · Score: 1

    "When people contribute code then their code is © them and not you."

    That's what I meant, I don't know how much of the code is his and how much is contributed that's why he deosn't own (the whole) snort -- just like Linus doesn't own Linux kernel, AFAIK.

    --
    "It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
  28. *ARGHH* headline! by Cally · · Score: 1
    'Checkpoint buys Snort' - 10/10 for an arresting headline, minus several billion for good thinking. Checkpoint has bought Sourcefire, not *Snort*. That's like saying OSDN have "bought Linux" because they happen to pay Linus.

    Honestly, the "slashdot's going down hill" trolls have been making me roll my eyes pretty much as soon as I became a regular, but things like this really make me wonder :(

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  29. Re:In other news by Frank+T.+Lofaro+Jr. · · Score: 1

    You got a big Mac at Fry's?

    How's OSX? ;)

    --
    Just because it CAN be done, doesn't mean it should!
  30. Kate Moss by Anonymous Coward · · Score: 3, Funny

    Kate Moss unavailable for comment.

  31. Here's my question by Flower · · Score: 1

    How much *significant* code has been contributed to Snort by people outside of SourceFire? I'm talking about things like Frag3, etc. - the underpinnings of Snort.

    --
    I don't want knowledge. I want certainty. - Law, David Bowie
  32. Snort was a good model for IDS by recharged95 · · Score: 1
    Problem is all the competitors have better tools out there [or in the works...] now for IDS. Believe me, it's just no one's buying.

    The neat thing about snort is it's history and that I hope companies look at it as a model of S/W developement (i.e. FOSS). I wish they turn their rules language via an XML Schema.

    Interesting triva to ask is where did snort originate? The feds come to mind ;).

    [Funny] It's understandable why Marty had to sell! A big house and a brand new [huge] office building for the peeps (better than the last location) will suck the $$$ dry quickly.

  33. How is the parent a Troll? by Philip+K+Dickhead · · Score: 1

    References:
    http://archives.neohapsis.com/archives/firewalls/2 000-q3/2361.html
    http://www.issociate.de/board/post/218692/The_prob lem_with_Zone_Alarm.html
    http://www.forbes.com/forbes/2002/0318/102_2.html
    http://www.whatreallyhappened.com/spyring.html

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
  34. This is Great day for Snort Users by easternerd · · Score: 1

    I am very sure that Checkpoint would not remove Snort from GPL, and its a good news for all the snort fans out there.. with Checkpoints popularity and financial power they might be able to improvise the snort to be able to offer better Inline IPS features..
    The main reason i am very enthusiastic is that there is not much competition in the IDS sphere, and checkpoint systems for one doesnt have a base in IDS hence with this acquisition i guess there will be good competition for Cisco , MCafee and TippingPoint.

    just hope to get the best anyway...