Slashdot Mirror
Is Open Source SNORT Dead?
alphadogg writes "Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead?
The Open Information Security Foundation, a nonprofit group funded by the US Dept. of Homeland Security to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars.
The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled."
Netcraft hasn't confirmed it yet.
Snort is nowhere near dead - it's still used in tons of production environments, especially in higher ed (where we've always got plenty of Unix nerds on hand, and never have any money).
I would imagine Marty's objections probably have something to do with his desire to move people from Snort to the commercial IDS offerings from Sourcefire. That easy upsell doesn't exist if people start off on another product.
--saint
For people who don't read the article:
So, the taxpayer paid good money to develop a slower and less functional version of an already open-source product. Brilliant.
SELinux was a good investment of taxpayer dollars. This was not, as far as I can tell.
- Michael T. Babcock (Yes, I blog)
Okay, so a competing product comes out, they declare their competitor is dead, said competitor says "i'm not dead yet" and accuses them of being a cheap knockoff. Both sides continue to point out flaws or perceived flaws and throw FUD at each other.
I think the most serious claim against SNORT came at the end of the article:
"Sourcefire controls the intellectual property and the update cycle for changes. They use the install base of Snort to market their commercial solutions," Stiennon says. "I am not saying that is a bad thing for Snort users but it is limiting to the overall development of threat mitigation technology from the open source community."
If that's true, that is not cool. I hate it so much when I'm just trying install PDFCreator or some other GPL'd tool and part of the install process involves a default click box to also install Yahoo's toolbar in all my browsers. It's great to see companies back particular open source projects but I do not care for companies that take hold of the reigns and/or use it to propagate their own proprietary tools. It's one of the reasons I'll consider Flex better than Silverlight but never will I consider it open source despite the SDK source being available. It's got vendor lockin associated with it.
My work here is dung.
The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program . . .
Open Pork!
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
"The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. "
You make the call.
There are no loopholes. It's either legal or it's not.
In other news, the ls command is also dead. When was the last major functional change for ls? When was the last time you saw a major support contract signed for the ls command? Note that I am accepting $1M contract offers to implement the next generation directory listing program, which I will be naming dir.exe, although I haven't decided whats more trendy, enterprise Java, ruby on rails, or maybe erlang?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
It may not be developed on very actively but that's because it doesn't need to be. It does everything it needs to do and for the rest, the community and any capable sysadmin can make their own rules. At some point the product is finished and all you can do is bugfix it. Adding features makes stuff bloated and is only necessary if you need to sell the stuff in a commercial setting. That's the power of open source, once a product is finished, it's done with. Eventually somebody will rewrite it (if the code is really bad) or make it run better (if architectures change) but a well-written program won't need either in the near future.
Look at the rsync library. The only thing that was fixed recently is a 64-bit handle to allow for files larger than 4GB to be handled. I don't believe the original programmer is even around anymore to fix stuff on it since the 4GB patch is not included in the official rsync distribution. But it's still widely used without any problems, works as intended and isn't going away soon.
Custom electronics and digital signage for your business: www.evcircuits.com
.... is pretty much DOA.
Speaking as a security professional, we could REALLY use multi-threaded support in our Snort deployments, and the last time I heard 'multi-threaded support is just around the corner' was in 2008.
Right now, the fact that one Snort instance runs as one process linked to one interface in your ethernet stack means that only one core can run it. And with us hitting the plateau in computing speed on a per-core basis, and traffic still increasing, multi-threaded support had better show up in the next couple of years at the latest or I'll have to find some other network-based IDS product, at least for some extreme instances.
Just a heads up. The North Texas Snort Users Group is being revived. I have nothing to do with it, but heard about it at the North Texas Linux Users Group (NTLUG) meeting.
Check out nt-sug.org.
Technoid_
Two wrongs don't make a right, but 3 lefts do - Lew of GO magazine
I should know, I wrote it.
Snort is developed at Sourcefire these days, the company I started and where I still serve as CTO. I am the lead developer on the Snort 3.0 project right now which is undergoing restructuring after the initial few releases showed performance issues that we weren't ready to live with.
Snort 2.x is developed by Sourcefire's engineering team, we release several updates a year to the code and updates to detection almost weekly via the Sourcefire VRT. I don't work on the 2.x code base day to day anymore but I do contribute from time to time. Snort 2.9.0 is slated for release this fall and continues 12 years of development on the engine technology which includes some significant innovation in the field of intrusion detection.
My issue with Suricata is that it has implemented the exact same *detection model* as Snort, it does nothing new from a detection standpoint but wraps it in a multithreaded framework that they're trying to call innovation all on its own. True innovation would be to develop a new way of detecting threats on the wire and they haven't done that, they effectively have implemented the same idea as Snort (processes Snort rules, buffers streams into chunks before processing, etc) on a slower software platform. They implemented what is effectively a Snort fork and did so at taxpayer expense, they got the government to pay them to develop something that the government already gets for free (Snort's detection model) with less features and lower performance.
Someday Suricata might be a really interesting engine but to go out to the press in a concerted push and advance the idea that "Snort is dead" reflects a stunning amount of hubris and wishful thinking. Snort is the most widely deployed IDS/IPS on the planet, there have been millions of downloads and there are hundreds of thousands of registered users and the community is still growing steadily. Snort's engine development is still moving forward and we have plans to continue to innovate in the field of intrusion detection. If the Suricata team wants to displace it they have a tremendous amount of work to do, they're not even close yet.
This is not a good thing for anyone concerned !!
Open source project dead? How can that be now?
Well actually, that's not 100% true. Snort is an "open core" project. Sourcefire make most of it's money on the IDSs and other add ons on top, which they don't release under open source licenses. This means that sourcefire doesn't want to put features into snort because they want to profit from them on their upper layers. Also other developers don't want to contribute to snort because they don't think they will get their value back; their features will be taken but sourcefire will not continue their development except where there is benefit for their own solution.
Worst of all; the existence of open source snort makes it difficult for other competing projects to get off the ground; just look at all the snort forks and how little they change it.
The death of snort may be a chance for a better challenger to come up with no open core vendor sucking the life from it.
Having said that, snort has been really valuable; this may also be the thing which motivates Sourcefire to get back into the open source game properly. Let's see if they try to compete or run off into proprietary locked off systems.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();