Slashdot Mirror

← Back to Stories (view on slashdot.org)

CheckPoint Acquires Snort

Posted by CmdrTaco on from the done-sniffing-each-other dept.

bobdehnhardt writes "The Snort-announce list was burning with the news that CheckPoint has signed an agreement to acquire Sourcefire, the commercial arm of the Snort community. As part of the agreement, CheckPoint will "continue to develop and distribute Snort under the GPL, improve and document the program to stay on the cutting edge and expand the snort.org web site." Here is a message from Snort creator Marty Roesch."

20 of 118 comments (clear)

  1. " Here is a message from Snort creator Marty Roesc by b1gk1tty · · Score: 5, Funny

    " Here is a message from Snort creator Marty Roesch."

    I'm rich I'm rich I'm filthy f*ckin rich!

  2. Loopholes by diogenesx · · Score: 2, Interesting

    Even with such language, does that stop them from forking the sources and creating a new closed source program with a new name?

    1. Re:Loopholes by monkeydo · · Score: 4, Informative

      No, it doesn't. The owner of the copyright can stop releasing new versions under the GPL. Any code already licensed under the GPL would remain so, but nothing stops them from making all new versions closed, or something in between.

      --
      Si vis pacem, para bellum
      The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
    2. Re:Loopholes by FidelCatsro · · Score: 3, Informative

      Unless they accepted patches from a third party not directly involved in the project , They would need to track down each and every person that had (and acquire their blessing) or each and every code snippet and remove it .
      This is the same problem which faces the linux Kernel if they wished to move it to the GPL3

      --
      The only things certain in war are Propaganda and Death. You can never be sure which is which though
    3. Re:Loopholes by sgml4kids · · Score: 2, Interesting

      Nor does anything stop them from directing ongoing snort development to being a "tier B" solution (intentionally degrading the effectiveness or performance of snort) relative to their proprietary "tier A" solutions. Lots of companies do this -- they sell the same product: fully enabled at a premium prices, and partially disabled at a lower price. Many companies manfuacture the generic non-brand products "competing" with their own brands (eg. drug companies). If two products compete with each other, it's a bonus if you own both of them.

      It may be a smart business move and the shareholders/owners of Checkpoint(TM) probably expect them to do whatever is necessary to maximize profits.

      Two thumbs down for this move.

  3. makes sense by spurious+cowherd · · Score: 3, Interesting
    "We believe Sourcefire has world-class solutions for internal security through their Intrusion Sensor, Real-time Network Awareness (RNA), and Defense Center product lines.

    Checkpoint needs this type of network awareness technology to keep up with Cisco
    I know they lost my company's contract because the network admins like the way Cisco stuff integrates

    I'll start by stating again what I've stated in the past, Snort is now and will continue to be free to end-users. We will continue to develop and distribute the Snort engine under the GPL, improve and document the program to stay on the cutting edge and expand the snort.org web site. The community continues, as always, to be important to us as a group of people who use the code pervasively throughout the entire Internet, report on problems and make suggestions and contributions to the project.

    This is critical to me for many reason. It's good to see. Marty is a man of integrity & I'll bet this is in the aquisition contract

    Check Point to acquire privately held Sourcefire for a total consideration of approximately $225 million.

    Who says you can't make money from FOSS?
    Marty deserves the fiduciary rewards he'll get for all his hard work over the years

    --

    Time flies like an arrow, fruit flies like a banana.

  4. Re:while snort is a fine piece of software ... by j_kenpo · · Score: 2, Interesting

    Which is why you run Snort with full packet logging mode in addition to alert mode. This way, if an alert is missed, you can still see all packets sent in an attack and build an alert from that. Just make sure you have enough storage space.

  5. Re:while snort is a fine piece of software ... by b0r1s · · Score: 5, Informative

    It's worth mentioning that it's possible to trigger on known attack VECTORS rather than just known attacks - that is, on some vulnerabilities, all possible attacks will have a single signature at some point in the packet, which WILL be triggered. Moreover, some PROTOCOLS will always have the same signature, which may be hit as byproducts of the attack (ie: if I see an IRC packet coming from a webserver, I'm going to alert no matter what port it's on, or where it's going, because it shouldn't be there, period).

    Snort can be bypassed in many scenarios, but it's still very useful.

    --
    Mooniacs for iOS and Android
  6. Umm by temojen · · Score: 2, Interesting
    Since most attacks are based on known techniques, it can detect a lot of new attacks, such as anything that includes:
    (lots of nulls)

    const char * what = "/bin/sh";

    where: push what;
    push EXEC;
    call syscall;

    (some junk)
    &where
    On a whole lot of architectures, regardless of port. Which means it catches just about any stack-smashing attack that's not SSL encapsulated, regardless of service and whether it's known.
  7. no big deal by qwertphobia · · Score: 5, Informative

    This is no big deal. Snort will continue to be GPL and freely available to the world.

    I'm more worried about the recent Nessus changes, have you heard about this?
    Nessus License Change Announcement

    Nessus 2 will continue to be free
    Nessus 3 will be a free of charge, binary only release

    --
    Never ask for directions from a two-headed tourist! -Big Bird
    1. Re:no big deal by Kevin+Burtch · · Score: 2, Insightful


      Closed-source penetration testing software?
      I sure won't be using that version... and I love nessus!

      --
      - Preferences: Solaris 10 (servers), Ubuntu (desktops), Solaris 11 (personal servers) -
  8. Re:while snort is a fine piece of software ... by PGillingwater · · Score: 5, Informative

    Plus you might find that a shellcode exploit requires a shellcode sled, which can be detected. And many of the people who use Snort might not know that Sourcefire has made a major innovation with RNA -- a passive traffic analysis system which tells you what hosts are in your LAN, and what ports are being used -- kind of like NTOP, but with better consolidation and reporting.

    --
    Paul Gillingwater
    MBA, CISSP, CISM
  9. You also need a benchmark of legit activity. by khasim · · Score: 4, Insightful

    Everything happening on your network should be authorized by you. If you're worried about security, then you need to get some benchmarks of the legitimate traffic on your network so you can have the system watch for different patterns.

  10. Re:Checkpoint and Linux by mpathetiq · · Score: 2, Informative

    Checkpoint built their own version of Linux called SecurePlatform specifically for running their firewall, management tools, and other software. Quite often, the GUI and end user tools only ran on Windows, but the real meat-and-potatoes was usually supported on Linux.

    --
    Post-rock/Ambient/Drone and other noise.
  11. My friend was acquired by a Checkpoint by DrugCheese · · Score: 4, Funny

    when he tried to cross the border with snort.

    --
    *DrugCheese rants*
  12. in other news... by portscan · · Score: 2, Funny

    checkpoint has had yet another security breach. this time, instead of all of their background records being released onto the internet, the source code of their newly acquired security tool, "snort" was released onto the internet. many have already downloaded this and started using free of charge, not to mention modifying it as they see fit and redistributing it also free of charge. this is a truly embarassing second offense for the security company.

  13. Re:" Here is a message from Snort creator Marty Ro by Chris+Mattern · · Score: 2, Funny

    And, of course, the classic.

    "Do you like my hat? It's made of money! Would you like to stay for lunch? I think we're having MONEY!"

  14. CheckPoint bought ZoneAlarm and screwed it up by loggia · · Score: 2

    I see nothing positive about Snort being acquired by CheckPoint.

    CheckPoint bought Zone Labs a couple of years ago and Zone Alarm went from being a rock solid firewall to an absolute mess. There are so many problems with the new version of Zone Alarm that their forums are filled with complaints.

  15. What happens with the rule set development? by waldonova · · Score: 2, Interesting

    I have snort running with BASE, for a nice NID management setup. Without the rules, not much will happen.
    There are currently three levels of access to rules, as seen at http://www.snort.org/rules/

    1. Anyone can get the rule set that is released with the latest version.
    2. People who pay the big bucks ($1,795/year) can get updated rule sets as soon as they are released.
    3. A third level sits in the middle; where if you register with sourcefire you can get the updated rules five days after they are released to the premium members.

    Martin, I am sure that "Check Point is very excited about continuing Sourcefire's involvement with the open source community!". I hope that doesn't mean that they are excited about getting fees for any and all rules from the open source community.

  16. Kate Moss by Anonymous Coward · · Score: 3, Funny

    Kate Moss unavailable for comment.