Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Open Source SNORT Dead?

Posted by CmdrTaco on from the migrate-to-chortle dept.

alphadogg writes "Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead? The Open Information Security Foundation, a nonprofit group funded by the US Dept. of Homeland Security to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars. The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled."

11 of 127 comments (clear)

  1. "Rip Off"? by Anonymous Coward · · Score: 2, Interesting

    Seriously? Having use Suricata...a lot...I can tell you it's much of what SNORT should have become. A rip off it is not. Multi-threading alone is a God-send.

    1. Re:"Rip Off"? by Anonymous Coward · · Score: 1, Interesting

      Yet they went from 0 to done in a year with 1 million dollars? Meaning 2-4 devs/testers/managers for 1 year. With all the same features as snort and then some. Meaning they took snort and extended it. Then instead of folding those changes back into snort are claiming it as their own. A million dollars sounds like a lot. However, at contractor rates its not much.

      Forks are fine and all. However, they are making it like their base code is 'dead' so they get more eyeballs for 'their' base code. All in all kind of a shifty way to take over a project. Thats not a fork. Thats a powergrab and they do not want to share the koolaid with the people who brought the punchbowl.

      Now maybe they tried to fold their changes back and the snort guys shot them down? As they are 'changing everything'. Well eventually people get tired of waiting for these mythical changes to become real. I have seen this in many open-source projects too. It probably is the one of the major reasons for forks in the first place.

      Havent followed either project. But many times in tiffs like this it just becomes a bunch of babies arguing about who should be in charge. This smells like one of those arguments.

  2. Confusing Story Considering Snort's Activity by eldavojohn · · Score: 3, Interesting
    If you go to the page, 2.8.6-1 was released in April of this year. I guess that's a sign of recent life. Granted, 3.0 appears to be a year before that. I don't think competition between two open source projects is a bad thing. Hell, it's great for the end users. Roesch claims OISF's tool is way slower than SNORT. So let the two fight it out and reap the benefits.

    I think the most serious claim against SNORT came at the end of the article:

    "Sourcefire controls the intellectual property and the update cycle for changes. They use the install base of Snort to market their commercial solutions," Stiennon says. "I am not saying that is a bad thing for Snort users but it is limiting to the overall development of threat mitigation technology from the open source community."

    If that's true, that is not cool. I hate it so much when I'm just trying install PDFCreator or some other GPL'd tool and part of the install process involves a default click box to also install Yahoo's toolbar in all my browsers. It's great to see companies back particular open source projects but I do not care for companies that take hold of the reigns and/or use it to propagate their own proprietary tools. It's one of the reasons I'll consider Flex better than Silverlight but never will I consider it open source despite the SDK source being available. It's got vendor lockin associated with it.

    --
    My work here is dung.
  3. Re:Great summary quote by Hylandr · · Score: 5, Interesting

    Having been a Navy contractor in just this exact field, my experience with govt / military jobs indicates to me that this is a lot of stovepipe rooster crowing.

    Self important BS Hype to justify the tax dollars and get the pats on the back. The positive comments here for this 1.5m hack of snort is more than likely astro turfing. Up until now, I haven't even heard of Suricata.

    Can someone provide a link where this has been in some mainstream IT circles being debated as Beta release candidates were released etc?

    - Dan.

    --
    ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
  4. Snort is live. 3.0, OTOH... by savanik · · Score: 5, Interesting

    .... is pretty much DOA.

    Speaking as a security professional, we could REALLY use multi-threaded support in our Snort deployments, and the last time I heard 'multi-threaded support is just around the corner' was in 2008.

    Right now, the fact that one Snort instance runs as one process linked to one interface in your ethernet stack means that only one core can run it. And with us hitting the plateau in computing speed on a per-core basis, and traffic still increasing, multi-threaded support had better show up in the next couple of years at the latest or I'll have to find some other network-based IDS product, at least for some extreme instances.

  5. Re:It's not dead. by Arathrael · · Score: 2, Interesting

    I suspect in a lot of places where Snort is used, it's mostly just sitting there quietly generating thousands of mostly '(http_inspect) DOUBLE DECODING ATTACK' alerts and being completely ignored. It's easy enough to set it up, but out of the box it typically generates an awful lot of noise in the form of largely useless alerts, so it takes some configuring (and understanding of exactly what those alerts are) to get it to a point where it's really useful.

    And yes, I reckon that the commercial aspect to Snort probably is a key factor in this argument. They push that quite heavily IMO with (e.g.) new rules only being available to subscribers and other users having to register and wait until they're 30 days old to download them.

    I'm curious as to whether Suricata is any good, I might have to check it out. Also, meerkats.

  6. OT: Dear Slashdot Admins: PLEASE FIX the mod box by Qubit · · Score: 2, Interesting

    I'm forced to post something in this thread to throw away an accidental mod of "Troll".

    If the moderation box gets focus for any reason, it's going to fire off and moderate the person once you exit it. No ifs, ands, or buts.

    So here I am, having to throw away 4 or 5 reasonable (well, I thought so, anyway) mods to this article in order to not unfairly peg someone as a Troll.

    Plus I have to write this lame post. I mean, who wants to see this lame post?

    Sincerely,
    -- Us

    --

    coding is life /* the rest is */
  7. GPLv2 Plus "Non-GPL" by PSaltyDS · · Score: 2, Interesting

    From the OISF Download page:

    "The Suricata Engine and the HTP Library are available to use under the GPLv2."

    Followed on page 2 of same by this:
    "Membership in the OISF Consortium Group provides a non-gpl limited license for the Suricata IDS engine in return for ongoing support. There are multiple tiers available for consortium participation that simplify the varying levels of support and involvement possible for all types of interest. Contributions may range from man hours in development assistance, technology donations, hardware and infrastructure, to financial assistance."

    I get that if the code is their copyright, they can dual license at will. But doesn't the above mean any contributions from either a community or "Membership" cannot themselves be GPL, since any code accepted will in turn be distributed "non-gpl" among the membership? Also, are there "multiple tiers" of "non-gpl limited license"?

    --
    Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
  8. Snort's Better by helix2301 · · Score: 2, Interesting

    Snort is not dead Snort is a superior tool for network detection. Snort can be ran as a simple dump tool all the way to integration a MySQL database for analyst. Companies build snort into there tools like AlienVault and many others. Snort is a veteran tool that can do packet sniffing, packet logging and full-blown IDS. Snort can also be used with other veteran tools like Barnyard and Sguil. Suricata looks like a great product but it's not Snort.

    --
    http://www.thetechnologygeek.org
  9. Re:Great summary quote by MikeBabcock · · Score: 2, Interesting

    Multi-threading a stream isn't implicitly better. A lot of the work for analyzing a packet stream needs to be single-threaded anyway (or have a lot of locks, eliminating multi-thread benefits) because the packets are coming in one at a time.

    Even if you were to break up the incoming packets into streams, then spawn or call a worker thread to handle each stream independently, you'd quickly become resource-bound (due to large numbers of simultaneous streams).

    This isn't even remotely like KDE vs. Gnome. Neither is a fork of the other, and there were political issues as well.

    --
    - Michael T. Babcock (Yes, I blog)
  10. Re:Great summary quote by Sancho · · Score: 2, Interesting

    Absolutely. But usually, you need to be pushing the envelope in order to get your competitors to do the same. Suricata isn't there yet, so Snort can still rest on its laurels.