Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Open Source SNORT Dead?

Posted by CmdrTaco on from the migrate-to-chortle dept.

alphadogg writes "Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead? The Open Information Security Foundation, a nonprofit group funded by the US Dept. of Homeland Security to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars. The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled."

18 of 127 comments (clear)

  1. Great summary quote by MikeBabcock · · Score: 3, Informative

    For people who don't read the article:

    Suricata's top speeds today may be slower than Snort's. Jonkman is citing Suricata at 8 to 10 Gbit/sec and Roesch cites Snort at 50 Gbit/sec, with both acknowledging a lot of range due to platform use. But beyond that, Roesch says Suricata is basically a "sub-set of Snort's functionality at a fraction of its performance." He even calls Suricata a "clone of Snort" as it uses Snort signatures. The OISF's description of Suricata does include how to use Snort signatures with Suricata and transition off of the Snort platform.

    "They've produced a clone of Snort that performs worse at taxpayer's expense," Roesch says. "They haven't advanced IDS."

    So, the taxpayer paid good money to develop a slower and less functional version of an already open-source product. Brilliant.

    SELinux was a good investment of taxpayer dollars. This was not, as far as I can tell.

    --
    - Michael T. Babcock (Yes, I blog)
    1. Re:Great summary quote by Anonymusing · · Score: 2, Informative

      Of course, Jonkman does not mention any features that Suricata has, which Snort does not, like multithreading...

      --
      Liberal? Conservative? Compare perspectives at Left-Right
    2. Re:Great summary quote by Sancho · · Score: 2, Informative

      Multithreading is really only a feature if it gets you some benefit (usually that benefit is increased performance.) There are reports which mirror my own findings that indicate that Snort performs much better on one core than Suricata. Snort's Vulnerability Response Team has a blog post that just went up on this exact subject--of course, they have a vested interest in promoting Snort.

      http://vrt-sourcefire.blogspot.com/2010/07/innovation-you-keep-using-that-word.html

      The same physical machine ran Suricata and Snort, and Snort ran almost four time faster:

      "Suricata peaked at about 300 Mb/s without dropping packets, provided no rules are loaded.
      With rules loaded, Suricata runs up to about 200Mb/s.
      Snort, with rules, hits 894Mb/s with no drops" -- Internal VRT Report on Suricata Performance

      Now they don't talk about their testbed, so I'm assuming the worst case for Suricata--single core. At four cores, then, Suricata could match Snort's performance. Scaling up further, it could in theory beat it.

      Now Suricata is also taking an ethical stand against compiled rules, which I like--to a degree. I recognize that there are tests which are hard or impossible to perform using Snort's rules language, but at the same time, I want to be able to look at the rule and see how likely it is to be a false positive. Over the years, the VRT has put out some rules which I would consider laughable. In a highly tuned context, they might work okay. In a larger context (say an ISP or a university, where the sniffers don't necessarily control every machine on the network) they false like crazy. Snort doesn't publish any information on how likely a rule is to false, and so if I can't read the rule, I can't gauge that at all.

    3. Re:Great summary quote by Sancho · · Score: 2, Informative

      Snort runs pretty fast, even if it only uses one core. If you can split your traffic, you can also run two instances of Snort on the same box. Not an ideal solution, but it's an option.

      Once Suricata starts getting better performance, I'll re-evaluate it. For now, in our environment, Snort still outperforms it on the hardware which is within our budget.

  2. From the OISF site... by Capt+James+McCarthy · · Score: 3, Informative

    "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. "

    You make the call.

    --
    There are no loopholes. It's either legal or it's not.
  3. Re:Snort's just fine by ta+bu+shi+da+yu · · Score: 2, Informative

    What, Tridgwell isn't accepting patches? Someone call UNSW!

    --
    XML is like violence. If it doesn't solve the problem, use more.
  4. North Texas Snort Users Group by technoid_ · · Score: 3, Informative

    Just a heads up. The North Texas Snort Users Group is being revived. I have nothing to do with it, but heard about it at the North Texas Linux Users Group (NTLUG) meeting.

    Check out nt-sug.org.

    Technoid_

    --
    Two wrongs don't make a right, but 3 lefts do - Lew of GO magazine
  5. Re:Nonsense by Anonymous Coward · · Score: 2, Informative

    A million dollars in government money actually only buys you about $1000 in actual work.

  6. Re:Confusing Story Considering Snort's Activity by martyroesch · · Score: 5, Informative

    That's not true, Snort development continues in the open and contributions are still taken from the community. We don't use the community to market our commercial solutions at all, in fact we have strict prohibitions against marketing commercial solutions on the Snort mailing lists.

    Stiennon takes the next wrong step by saying that we're preventing the ENTIRE OPEN SOURCE COMMUNITY from developing threat mitigation technology. Completely wrong. You can still add your own patches to Snort either as a contribution to the project or as an external patch, Sourcefire does nothing to prevent that.

    We also don't require that you install anything other than Snort when you grab it from snort.org, getting and installing Snort today is just like it was before Sourcefire started. If you don't have the problems that Sourcefire solves (scalability and manageability for the mid to large enterprise) you'd probably barely notice we're out there.

  7. Re:ls is dead by skids · · Score: 2, Informative

    Hey, say what you will about Lua, for example "who in their right mind uses 1-based array indexing", but at least it has coroutines, which is more than lots of languages can say for themselves.

    --
    Someone had to do it.
  8. Re:Angry by Anonymous Coward · · Score: 1, Informative

    Sounds more like Martin is clearing up some of the FUD. FUD spread by the Suricata camp....much like M$ spreads FUD against linux, etc.

  9. Re:Snort's not dead... by Rogerborg · · Score: 1, Informative

    Here's the difference, Marty.

    When I go to SourceFire, I see plenty of ways for me to investimentise in my partneritude, but I can't for the life of me seem to find the source of your "open source" product.

    When I go to Suricata, the source link is right there on the front page.

    --
    If you were blocking sigs, you wouldn't have to read this.
  10. Re:Snort's not dead... by rotide · · Score: 4, Informative

    Did you even look at the downloads page?:
    http://www.snort.org/snort-downloads

    Second link is "source".

    If you want the 3.0 source go to:
    http://www.snort.org/snort-downloads/snort-3-0/

    Maybe these weren't the sources you were looking for?

  11. Re:GPLv2 Plus "Non-GPL" by Anonymous Coward · · Score: 1, Informative

    Contributors need to sign the Contribution agreement. It can be found here. http://www.openinfosecfoundation.org/index.php/contributors

    --
    User hereby irrevocably and perpetually assigns, transfers, conveys and sets over to OISF, and OISF hereby accepts the assignment, transfer, conveyance and set over, User's entire worldwide and perpetual right, title and interest in and to the Materials including but not limited to all Intellectual Property Rights in the Materials. User will give OISF or its designee all assistance reasonably required to register, perfect, enforce and apply for and obtain in OISF's name patent, copyright, trademark and other Intellectual Property Rights in any and all jurisdictions
    -

  12. Re:Snort's not dead... by seek3r · · Score: 2, Informative

    I have to agree that Snort is not nearly dead. The team at Sourcefire is working to improve the capabilities of both the open source Snort and the commercial product. With the integration we have put together with NTOSpider (web application security scanner) where NTOSpider is able to generate custom Snort rules for web application vulnerabilities it discovers, this can make Snort a reasonable Web Application Firewall (when in block mode) for accomplishing virtual patches to completely custom web apps. As the Sourcefire team continues to push integration and the Snort rules format to other complimentary technologies, I see an interesting level of advancement on the horizon.

  13. Re:It's not dead. by saintlupus · · Score: 4, Informative

    According to Marty, when asked about IPv6 support at this year's EDUCAUSE Security conference, Snort will happily inspect IPv6 traffic if you configure the HOME_NET to be an IPv6 network.

    There's no explicit option to turn it on, because it shifts from v4 to v6 when the rest of the configuration is set up properly. This subtlety seems to elude people. Well, either that or the guy who initially wrote the software doesn't know how it works.

    --saint

  14. Re:GPLv2 Plus "Non-GPL" by BitZtream · · Score: 2, Informative

    And this is handled all the time by saying 'when you contribute code, you transfer the copyright to us' and then its over.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  15. Re:How can that be now? by rtfa-troll · · Score: 3, Informative

    This is not a good thing for anyone concerned !!

    Open source project dead? How can that be now?

    Well actually, that's not 100% true. Snort is an "open core" project. Sourcefire make most of it's money on the IDSs and other add ons on top, which they don't release under open source licenses. This means that sourcefire doesn't want to put features into snort because they want to profit from them on their upper layers. Also other developers don't want to contribute to snort because they don't think they will get their value back; their features will be taken but sourcefire will not continue their development except where there is benefit for their own solution.

    Worst of all; the existence of open source snort makes it difficult for other competing projects to get off the ground; just look at all the snort forks and how little they change it.

    The death of snort may be a chance for a better challenger to come up with no open core vendor sucking the life from it.

    Having said that, snort has been really valuable; this may also be the thing which motivates Sourcefire to get back into the open source game properly. Let's see if they try to compete or run off into proprietary locked off systems.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();