Is Open Source SNORT Dead?

alphadogg writes "Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead? The Open Information Security Foundation, a nonprofit group funded by the US Dept. of Homeland Security to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars. The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled."

Great summary quote

[MikeBabcock]

For people who don't read the article:

Suricata's top speeds today may be slower than Snort's. Jonkman is citing Suricata at 8 to 10 Gbit/sec and Roesch cites Snort at 50 Gbit/sec, with both acknowledging a lot of range due to platform use. But beyond that, Roesch says Suricata is basically a "sub-set of Snort's functionality at a fraction of its performance." He even calls Suricata a "clone of Snort" as it uses Snort signatures. The OISF's description of Suricata does include how to use Snort signatures with Suricata and transition off of the Snort platform.

"They've produced a clone of Snort that performs worse at taxpayer's expense," Roesch says. "They haven't advanced IDS."

So, the taxpayer paid good money to develop a slower and less functional version of an already open-source product. Brilliant.

SELinux was a good investment of taxpayer dollars. This was not, as far as I can tell.

From the OISF site...

[Capt+James+McCarthy]

"The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. "

You make the call.

North Texas Snort Users Group

[technoid_]

Just a heads up. The North Texas Snort Users Group is being revived. I have nothing to do with it, but heard about it at the North Texas Linux Users Group (NTLUG) meeting.

Check out nt-sug.org.

Technoid_

Re:Confusing Story Considering Snort's Activity

[martyroesch]

That's not true, Snort development continues in the open and contributions are still taken from the community. We don't use the community to market our commercial solutions at all, in fact we have strict prohibitions against marketing commercial solutions on the Snort mailing lists.

Stiennon takes the next wrong step by saying that we're preventing the ENTIRE OPEN SOURCE COMMUNITY from developing threat mitigation technology. Completely wrong. You can still add your own patches to Snort either as a contribution to the project or as an external patch, Sourcefire does nothing to prevent that.

We also don't require that you install anything other than Snort when you grab it from snort.org, getting and installing Snort today is just like it was before Sourcefire started. If you don't have the problems that Sourcefire solves (scalability and manageability for the mid to large enterprise) you'd probably barely notice we're out there.

Re:Snort's not dead...

[rotide]

Did you even look at the downloads page?:
http://www.snort.org/snort-downloads

Second link is "source".

If you want the 3.0 source go to:
http://www.snort.org/snort-downloads/snort-3-0/

Maybe these weren't the sources you were looking for?

Re:It's not dead.

[saintlupus]

According to Marty, when asked about IPv6 support at this year's EDUCAUSE Security conference, Snort will happily inspect IPv6 traffic if you configure the HOME_NET to be an IPv6 network.

There's no explicit option to turn it on, because it shifts from v4 to v6 when the rest of the configuration is set up properly. This subtlety seems to elude people. Well, either that or the guy who initially wrote the software doesn't know how it works.

--saint

Re:How can that be now?

[rtfa-troll]

This is not a good thing for anyone concerned !!

Open source project dead? How can that be now?

Well actually, that's not 100% true. Snort is an "open core" project. Sourcefire make most of it's money on the IDSs and other add ons on top, which they don't release under open source licenses. This means that sourcefire doesn't want to put features into snort because they want to profit from them on their upper layers. Also other developers don't want to contribute to snort because they don't think they will get their value back; their features will be taken but sourcefire will not continue their development except where there is benefit for their own solution.

Worst of all; the existence of open source snort makes it difficult for other competing projects to get off the ground; just look at all the snort forks and how little they change it.

The death of snort may be a chance for a better challenger to come up with no open core vendor sucking the life from it.

Having said that, snort has been really valuable; this may also be the thing which motivates Sourcefire to get back into the open source game properly. Let's see if they try to compete or run off into proprietary locked off systems.