Slashdot Mirror
Is Open Source SNORT Dead?
alphadogg writes "Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead?
The Open Information Security Foundation, a nonprofit group funded by the US Dept. of Homeland Security to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars.
The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled."
Yeah, it's dead. HTH.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
This is not a good thing for anyone concerned !!
Open source project dead? How can that be now?
First of all, 1 million dollars does not sound like cheap ripoff ;)
Second, I have never quite understood Snort to be honest. It has never been able to detect anything besides irrelevant noise (obscure bugs related to ancient software) and the project has never had any idea about the management tools related to the main engine. In fact there has not been any credible tools. If this Suricata project will create such it imho doesn't matter really if they stole all the code from Snort. Snort people didn't do very well with it anyways.
Netcraft hasn't confirmed it yet.
Snort is nowhere near dead - it's still used in tons of production environments, especially in higher ed (where we've always got plenty of Unix nerds on hand, and never have any money).
I would imagine Marty's objections probably have something to do with his desire to move people from Snort to the commercial IDS offerings from Sourcefire. That easy upsell doesn't exist if people start off on another product.
--saint
Is this a fork or is DHS replicating Snort without copying the code?
Why is it that I have a queasy feeling in my gut about network security tools supplied by DHS?
So what alternatives do /. recommend? Open source preferred.
-- veni, vidi, vomi
Seriously? Having use Suricata...a lot...I can tell you it's much of what SNORT should have become. A rip off it is not. Multi-threading alone is a God-send.
For people who don't read the article:
So, the taxpayer paid good money to develop a slower and less functional version of an already open-source product. Brilliant.
SELinux was a good investment of taxpayer dollars. This was not, as far as I can tell.
- Michael T. Babcock (Yes, I blog)
Okay, so a competing product comes out, they declare their competitor is dead, said competitor says "i'm not dead yet" and accuses them of being a cheap knockoff. Both sides continue to point out flaws or perceived flaws and throw FUD at each other.
I think the most serious claim against SNORT came at the end of the article:
"Sourcefire controls the intellectual property and the update cycle for changes. They use the install base of Snort to market their commercial solutions," Stiennon says. "I am not saying that is a bad thing for Snort users but it is limiting to the overall development of threat mitigation technology from the open source community."
If that's true, that is not cool. I hate it so much when I'm just trying install PDFCreator or some other GPL'd tool and part of the install process involves a default click box to also install Yahoo's toolbar in all my browsers. It's great to see companies back particular open source projects but I do not care for companies that take hold of the reigns and/or use it to propagate their own proprietary tools. It's one of the reasons I'll consider Flex better than Silverlight but never will I consider it open source despite the SDK source being available. It's got vendor lockin associated with it.
My work here is dung.
The linked article wins the title of Dumbass Article of the Week.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program . . .
Open Pork!
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
"The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. "
You make the call.
There are no loopholes. It's either legal or it's not.
In other news, the ls command is also dead. When was the last major functional change for ls? When was the last time you saw a major support contract signed for the ls command? Note that I am accepting $1M contract offers to implement the next generation directory listing program, which I will be naming dir.exe, although I haven't decided whats more trendy, enterprise Java, ruby on rails, or maybe erlang?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
It may not be developed on very actively but that's because it doesn't need to be. It does everything it needs to do and for the rest, the community and any capable sysadmin can make their own rules. At some point the product is finished and all you can do is bugfix it. Adding features makes stuff bloated and is only necessary if you need to sell the stuff in a commercial setting. That's the power of open source, once a product is finished, it's done with. Eventually somebody will rewrite it (if the code is really bad) or make it run better (if architectures change) but a well-written program won't need either in the near future.
Look at the rsync library. The only thing that was fixed recently is a 64-bit handle to allow for files larger than 4GB to be handled. I don't believe the original programmer is even around anymore to fix stuff on it since the 4GB patch is not included in the official rsync distribution. But it's still widely used without any problems, works as intended and isn't going away soon.
Custom electronics and digital signage for your business: www.evcircuits.com
If there is one thing that is terrible for prompting innovation it's competition. I predict both programs will fade into obscurity within 6 months.
.... is pretty much DOA.
Speaking as a security professional, we could REALLY use multi-threaded support in our Snort deployments, and the last time I heard 'multi-threaded support is just around the corner' was in 2008.
Right now, the fact that one Snort instance runs as one process linked to one interface in your ethernet stack means that only one core can run it. And with us hitting the plateau in computing speed on a per-core basis, and traffic still increasing, multi-threaded support had better show up in the next couple of years at the latest or I'll have to find some other network-based IDS product, at least for some extreme instances.
One's right to life, liberty, property, speech, press, freedom of worship and assembly may not be submitted to vote
Are you certain about this? Perhaps we should have a poll about this.
-- It may be flamebait, but it's funny.
Just a heads up. The North Texas Snort Users Group is being revived. I have nothing to do with it, but heard about it at the North Texas Linux Users Group (NTLUG) meeting.
Check out nt-sug.org.
Technoid_
Two wrongs don't make a right, but 3 lefts do - Lew of GO magazine
I should know, I wrote it.
Snort is developed at Sourcefire these days, the company I started and where I still serve as CTO. I am the lead developer on the Snort 3.0 project right now which is undergoing restructuring after the initial few releases showed performance issues that we weren't ready to live with.
Snort 2.x is developed by Sourcefire's engineering team, we release several updates a year to the code and updates to detection almost weekly via the Sourcefire VRT. I don't work on the 2.x code base day to day anymore but I do contribute from time to time. Snort 2.9.0 is slated for release this fall and continues 12 years of development on the engine technology which includes some significant innovation in the field of intrusion detection.
My issue with Suricata is that it has implemented the exact same *detection model* as Snort, it does nothing new from a detection standpoint but wraps it in a multithreaded framework that they're trying to call innovation all on its own. True innovation would be to develop a new way of detecting threats on the wire and they haven't done that, they effectively have implemented the same idea as Snort (processes Snort rules, buffers streams into chunks before processing, etc) on a slower software platform. They implemented what is effectively a Snort fork and did so at taxpayer expense, they got the government to pay them to develop something that the government already gets for free (Snort's detection model) with less features and lower performance.
Someday Suricata might be a really interesting engine but to go out to the press in a concerted push and advance the idea that "Snort is dead" reflects a stunning amount of hubris and wishful thinking. Snort is the most widely deployed IDS/IPS on the planet, there have been millions of downloads and there are hundreds of thousands of registered users and the community is still growing steadily. Snort's engine development is still moving forward and we have plans to continue to innovate in the field of intrusion detection. If the Suricata team wants to displace it they have a tremendous amount of work to do, they're not even close yet.
Martin sounds angry. Suricata is new, I wouldn't expect it to blow away the competition at such an early stage. High speed/quality IDS/IPS isn't something that you can xerox off new competitors in 15 minutes. I suspect it's like Firefox's new scripting engine. It was initially slower than the old one, but with time it will overtake it.
Martin makes his money off Snort and doesn't want other free software encroaching on his livelihood. Well Martin, maybe you should put forth more effort into Snort rather than just resting on your laurels.
Ever notice how funded "non-profits" and new commercial efforts always start by declaring the open source version "dead"? That's a bit like Tesla motors coming out and declaring Ford dead. Whether or not it is true that "Ford is dead", the "competition" has a serious conflict of interest and is in no way qualified to make the declaration. In fact, their need to make such declarations indicates that it is actually far from true.
A better wording for the OISF:
"We think our product is better and we wish Snort would just go away, because we are so tired of hearing from our potential customers 'We use Snort, and it does all that already, why would we switch?'."
OISF is also probably getting really tired of trying to justify every year the expenditure of taxpayer dollars to support a capability that Snort already provides for free. If they really had such a great capability, they wouldn't have any need whatsoever to spread Snort bashing FUD.
I'm forced to post something in this thread to throw away an accidental mod of "Troll".
If the moderation box gets focus for any reason, it's going to fire off and moderate the person once you exit it. No ifs, ands, or buts.
So here I am, having to throw away 4 or 5 reasonable (well, I thought so, anyway) mods to this article in order to not unfairly peg someone as a Troll.
Plus I have to write this lame post. I mean, who wants to see this lame post?
Sincerely,
-- Us
coding is life
So...some say it's alive, some say it's dead.
Obviously the only answer is removing the head or destroying the brain.
Brain surgery - it's not rocket science!
From the OISF Download page:
"The Suricata Engine and the HTP Library are available to use under the GPLv2."
Followed on page 2 of same by this:
"Membership in the OISF Consortium Group provides a non-gpl limited license for the Suricata IDS engine in return for ongoing support. There are multiple tiers available for consortium participation that simplify the varying levels of support and involvement possible for all types of interest. Contributions may range from man hours in development assistance, technology donations, hardware and infrastructure, to financial assistance."
I get that if the code is their copyright, they can dual license at will. But doesn't the above mean any contributions from either a community or "Membership" cannot themselves be GPL, since any code accepted will in turn be distributed "non-gpl" among the membership? Also, are there "multiple tiers" of "non-gpl limited license"?
Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
Snort is not dead Snort is a superior tool for network detection. Snort can be ran as a simple dump tool all the way to integration a MySQL database for analyst. Companies build snort into there tools like AlienVault and many others. Snort is a veteran tool that can do packet sniffing, packet logging and full-blown IDS. Snort can also be used with other veteran tools like Barnyard and Sguil. Suricata looks like a great product but it's not Snort.
http://www.thetechnologygeek.org
This is probably why OISF is taking a dump on Snort, it's a trick to get attention to their soon-to-be-commercial product !!
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
NT ACLs extend far beyond the file system. Pretty much everything can have a security context, all under the same model. Filesystem objects, running applications, devices, windows, sessions, you name it, it probably has an NT ACL context. I have used this to create a complete system and domain wide tagging system by attaching a powerless dummy user to anything that needs a tag context and storing various criteria in that user's active directory record. I have a handful of users and groups (4 of each) which can be combined in several ways to create over 100 different "tags" that can be assigned to any object, with minimal resource usage.
OISF sent out an update this afternoon:
The Phase Two kickoff meeting for Suricata and the OISF was held in San
Francisco last Friday. We had some great discussions, these meetings
have proven to be invaluable. Thanks to all who attended, many great
ideas were exchanged and discussed. The goals of this meeting were to
review where we are in Phase One development, lay out Phase Two major
features, and bring in new ideas and challenges. These were accomplished
quite well!
Below is a discussion of where we believe we should go with Suricata for
Phase Two. This is only the beginning of the conversation, we know
everyone interested can't be at one meeting. So please consider this a
starting point and we'll continue discussion on the mailing lists.
Status
Overall, the engine is in a great state. We are much further into
development than we had expected at this point, we've solved many
technical issues we expected to be pushed to Phase Two. I have to say
I'm honored to be just near a team of developers with such talent and
dedication. Our contributors and consortium members have brought
everything we didn't have available to put this incredibly complex
engine together. My thanks to everyone who's contributed, but we have a
long road ahead of us.
We had originally intended to end Phase One with the 1.0 release and
move directly into Phase Two development. Phase One was the more
traditional features and the base functionality for the engine, then
Phase Two would be the most experimental features. We have decided to
push Phase Two development off a few months to put more time into
stabilizing and performance tuning the base engine. We need the time for
performance tuning, but also our funding for 2010 is due in September,
and the foundation is low on resources. So we're limiting development to
1.0.1 bugfixes and performance tuning for the next month or so. We'd
also like to see how this release performs and works for the community,
so get your feedback in. Phase Two features are very experimental, and
will take significant amounts of time to perfect, so we're gathering our
resources to attack this on all fronts.
So for this Interim period here are our goals:
Complete Architecture Documentation
Significant Performance Optimization
More Easily Configurable Run Mode Support (Endace has offered to
complete this)
Error Code Cleanup and Documentation
Full Documentation (community editable docs)
Advanced Profiling and Engine Statistics Module
Accuracy Improvements
Added Protocol Detections
Classifications Update (support a more elegant definition system)
Full 2.8.6 Syntax Compatibility
Better LibHTP Error Handling
Heavy Inline Testing
The Features to be pursued in Phase Two are:
High Priority:
Max Inspection Time Cutoff Setting (while inline set a packet loose to
avoid latency but still process)
File Capture and Extraction in Stream
REGEX Optimization/Acceleration (possibly using alternate regex libraries)
Live Ruleset Updates
Flow Logging (Netflow output)
Add Replace keyword support
Host attribute scrubbing (strip OS identifying oddities)
URI Matching lookups (stopbadware, websense, etc)
Full CUDA Support
Phase Two Low Priority:
IP Reputation - Explore other items, dns, etc
Distributed Blocking
Global Flowbits and flowvars
Full Stream Capture (rotating pcap support)
Traffic Redirection (bait and switch style)
We have a huge list above, and we need your help. Ideas, code
contributions, help in documentation, help in translating documentation,
and financial and hardware support are needed. We welcome input from any
source!
Please join the OISF mailing lists
(http://lists.openinfosecfoundation.org/mailman/listinfo) for more info,
discussion, and to follow developments. If you'd like more information
about consortium membership or ways you can help out please email
consortium@openinfosecfoundation.org, or myself directly at
jonkman@openinfosecfoundation.org.
Note slashdot username martyroesch, and as it's a six digit UID it can't be some fool that just picked it up today. Here's what Wikipedia says about the parent poster:
To Marty: I tip my hat to you, sir.
Free Martian Whores!
I don't believe that oisf is saying open source snort is dead. That's just a flame of snort as they are worried. The internals of suricata are significantly different. The project is a lot younger than snort, with just 1 year of existence against 12! That's why I found mroesch words a bit arrogant talking about suricata.. there's a lot of efforts and good results in just one year, and the projects are on a different level of maturity to be compared. No sense there. The first suricata release is trying to give compatibility to emerging threats rule feed, maintained by Jonkman and co. The oisf team has done a ids/ips so far, with a good code base to start making new features and improvements. I guess "Multithreading" is just a part of it. With this progression (imho) they have a great future. What I do not understand is this flame articles, somehow against suricata, but probably sourcefire has an explanation.
Just thought I'd put a plug in for BRO-IDS: http://www.bro-ids.org/ Basically, you write all the signatures you want, but then write policy files on top of that to interpret that data, so it's a strict superset of Snort's functionality. There's even a tool in the distribution that lets you turn snort signatures into bro rules. So, you can have things like: If a user logs in to a machine on HOME NET from anywhere outside of HOME NET and in the next 15 minutes initiates a file transfer to that machine and that machine joins an IRC server or has FTP transfers from it in the next 2 days then raise an alert At OSU, Bro is used to check all files coming over the border against team cmruy's (http://www.team-cymru.org/) DNS based malware database. Check it out! Plus, you get the INFORMATION SECURITY CUBE OF POTENTIAL DOOM! (http://www.nersc.gov/nusers/security/TheSpinningCube.php)