Slashdot Mirror
Cisco To Acquire Sourcefire For $2.7 Billion
Orome1 writes "Cisco will acquire Sourcefire, a provider of intelligent cybersecurity solutions. Under the terms of the agreement, Cisco will pay $76 per share in cash in exchange for each share of Sourcefire and assume outstanding equity awards for an aggregate purchase price of approximately $2.7 billion, including retention-based incentives. The acquisition has been approved by the board of directors of each company. Once the transaction closes, Cisco will include Sourcefire into its guidance going forward. Prior to the close, Cisco and Sourcefire will continue to operate as separate companies."
Hope most of it is under GPL.
Join the Slashcott! Feb 10 thru Feb 17!
Obviously this is a press release for Sourcefire, so... what are people's real-world experience with Snort? Have you used it successfully to block attacks?
yes, it works as well as the rules you give it.
Snort is an IDS not an IPS, in the role of an IDS it is VERY good (probably the best out there), though with the sourcefire modules it can be a bit annoying because it's hard to tell what exactly might be a false positive (with the community modules you can tell exactly what the rules is doing so you can tell if it's tripping on legitimate traffic). It does take some care and feeding, luckily we outsource that job to a local group that does nothing but security monitoring and management so we didn't have to develop the expertise inhouse.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
There are a number of security companies, including one of Dell's acquired business units, that sell security appliances that are basically snort boxes. So yes, Snort is pretty widely used and deployed and not just messed around with by open source enthusiasts.
Personally, given Cisco's (mis)management of acquired companies in the past, and the inability of their business units to actually work together, I just lost all interest in Snort, unless someone forks it and manages to keep it up to the snuff that Sourcefire has. In the meantime, I'll be giving Bro IDS a very strong look
Snort quickly becomes an IPS with the addition of SNORTSAM.
http://www.sourcefire.com/content/securing-cloud ....... someone else!
They secure the cloud! I'm always interested in anything relating to the word cloud. I'm a cloud cowboy! Once I connect to the cloud, I backup all my personal files to the magical cloud. There, my files float around safely and all fluffy like. Who needs personal storage these days when you can give your sensitive data to
Oh, yea!
Wow, that's just in time to still get crushed on price and service level by Fortinet.
Yes...Snort is an IDS, not an IPS.
Log Snort through Ethereal, or another network protocol analyzer of your choice, and you've just created a free version of what all these companies want to sell you.
Fork ClamAV...PLEASE!
Snort is a great piece of technology considering its origin and when used in the right environment. That said, and having years of first hand experience with it, there are definite "cons".
First, and as others have pointed out, Snort is an IDS not an IPS. This isn't necessarily a negative, but it's an important distinction. Snort tells you that something bad has happened. It doesn't prevent bad things from happening.
Snort is a giant PITA in a large enterprise environment. It will scale, but it takes a LOT of work to do so and it is still somewhat limited.
Snort rules are cool. Everyone knows how to write them and they are a defacto standard in the industry. Even the big players generally let you write Snort rules on their boxes. That said, Snort is VERY rules-heavy. A good for instance; we have two IDS vendors in one of our larger (60K+ users) installations. One of those is Snort, the other is McAfee. I'd say a good average in terms of rules to catch is 25:1. I see similar circumstances at other locations with other vendors vs. Snort. Snort just requires a hell of a lot of rules to do it's job and EVERY DAMN TIME the slightest thing changes with the exploit or vuln...new rule. Snort doesn't do analyitcs, but simply watches for rules matches. 10 years ago this was great, but it's past it's prime.
This last bit is what really puzzles me about the Cisco acquisition. Snort is strong in the SMB market and certainly has ubiquity, but it's on the downward trend unless SourceFire does something quick in order to play catch-up in terms of their technology. Writing and maintaining 40K rules is just stupid and takes a crapload of operations and sustainment staff. Along with those massive rule sets come a massive increase in false positives unless your guys writing the rules are just unbelievably good (and therefore very costly).
Anyway, my two cents. I use Snort at home, but detest having to use it in an enterprise environment, especially in cases where it is provided as a service (fixed cost) as opposed to t&m (bill per hour).
Did anyone else read "Sourceforge" and start to worry about everyone's (1st/2nd/3rd) favorite code repository?
You misspelled Wireshark.
Martin Roesch becomes a billionaire, cisco pays him what he is worth, snort gets forked, sourcefire becomes an evil tool with vendor lockin, and open source alternatives to the sourcefire tools go into serious development. cisco gets the less tech savvy enterprises that were trashing their products for sourcefire to keep paying cisco, and the rest just save money by using snort with the new tools to compete with the proprietary/commercial tools at cisco. sounds good to me.
Martin, you would have made more money if you stayed in the game, but somewhere between a million and a billion or so money is meaningless. you inspire us all.
Snort can be used as an IPS, and Sourcefire IS an IPS. Also, to the guy below saying "Log snort, do some analysis, and you get what companies charge you for", you are completely ignorant. Sourcefire has a proprietary and useful GUI to manage multiple sites and tons of sensors. Sensors that can handle 40Gb/s of traffic. No biggie.
I'm running Snort as an IPS through pfSense at my home.
Take a look at Suricata. Built from the ground up, fully supports snort rules and alerts, barnyard, pulledpork, etc. But it has a TON of cool features (like file carving, LUA support, certificate logging, etc)
In fact I would suggest looking at the Security Onion distro since it has bro, snort, suricata, ELSA, and a bunch of other stuff all combined. VERY cool.
SourceFire has amazing customer support and products. Both the SourceFire IPS (yes, actual inline Intrusion Prevention) and the FireAMP endpoint agents have helped us identify and contain several 0day outbreaks. However, as a present customer of both SourceFire and Cisco, I am deeply troubled by this news and what it means for customer support, product innovation, and costs.
Horndog: cat $ grep "puss" >psy.txt ...---... detel ym reason /.: agentd Microsoft advapapalopasnipper.exe P40M key
Sic Grep | LPT1
Feinstein:
Tra La La La La La La Tra La La La La La La
7 SECONDS UNIX BBS
In 1998 Cisco entered the "hot" intrusion detection market buy buying WheelGroup and their NetSonar product. Seemingly unable or unwilling to understand/develop the product, it was finally killed in 2003, by which time Cisco had put some (not very good) IDS technology into their own core products.
Largely an irrelevance in the IDS world up until today.... they just decided to have another go at it..
"Cisco Systems Inc. said today it will acquire IDS, IPS and anti -malware specialist Sourcefire Inc.for $2.7 billion."
Cisco are NOT going to merge with Sourcefire, but this time around say they will leave it as a separate business unit, perhaps it will work better for them than NetSonar in 1998, perhaps it wont wither and die.
Incredible that Cisco could not successfully grow such capability in-house. Just goes to show that large companies cant achieve much!
Disclaimer: At $DAYJOB, I work on managed security services using Sourcefire, but this is my own personal commentary, not that of my employer.
Sourcefire's primary product line takes Snort, wraps it in hardware appliances, and adds a lot of management tools that you can use in an enterprise or managed services environment. This past year, they've added a firewall capability to compete with Palo Alto* and the UTM vendors like Fortinet - in addition to basic firewall support they've got application identification, so you can do things like allow users to read Facebook but block Facebook games, and you can also do things like URL censorship and known-bad-site blacklisting. They've also been buying up other companies like ClamAV and Immunet, so they've got feeds of malware site identification, and are starting to integrate that with the firewall/IDS as well as continuing the host-based versions.
Cisco's IDS/IPS offers have been pretty lame the past few years, but they've got decent firewalls, so we'll see how those product lines play against each other. (I don't know what Cisco's doing in Anti-virus and cloud malware detection these days.)
Sourcefire's hardware at the low end is basically Linux box appliances, and at the high end they're doing a bunch of hardware acceleration. Their largest single box will handle 10 Gbps of inspection, and they can cluster up to four of those to support 40 Gbps. There's not much competition up at the high end - McAfee may have come out with a 10 Gbps follower to their previous 5 Gbps box, and Juniper has some boxes that are bigger but are mainly firewalls with some limited IPS capability. If you've got existing Snort on Linux, Sourcefire does also sell connection tools to integrate with their management systems.
*The term "Next Generation Firewall" means "whatever Palo Alto's marketing says it means", but is at least firewall plus application identification. I've heard that Cisco tried to buy Palo Alto last year.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It's very difficult to take an AC's software suggestion seriously. This is the second mention of Suricata by an AC in the comments so far, and pretty high up. It does look interesting though.
Michael J. Ryan - tracker1.info
Or simply make the rules drop instead of alert
I work in a small vendor supplying, among other things, middlebox deep inspection solutions.
To put it nicely, IPS market is in a sad state. The whole business of most major players is based on FUD and marketing geared towards CEOs, CFOs and CIOs. Also, it would appear that relatively few security researchers are even interested or knowledgeable enough to torture these products in ways that high-profile criminals probably do. Often under-the-hood engineering appears to be woefully inadequate if you actually try to fool specifically the middlebox. Products just don't do what they are advertised to do, unless you present them with a bit-perfect attack. Sometimes so bit-perfect that they demand it to have various version strings inserted by security analyst companies to be present. This is advertised as protection! At worst, these products don't even record the fact that connection has been established, at all.
Another sad part on this story is that Snort is not extraordinarily soundly engineered IPS, although it's above average. If you don't twist its' arm, it's an OK IDS, though. It's definitely better than what Cisco has to offer, which, of course, doesn't say much.
I am aware of only one vendor that seems to have engineered IPS products in the possible scenario of attacker fooling around middleboxes, not just endpoints in order to cover his tracks. This is pretty sad; it wouldn't hurt to have healthy competition of products that truly deliver what marketing materials claim.
I know at some point, PRC used stateless Cisco inspection devices to implement some parts of their great firewall. They were, at least back then, surprisingly easy to fool. But then again, that wasn't actually a security-critical setting.
What is a bit more worrying is that I've seen at one nation-level security-critical entity with huge Snort ruleset of their own, and I know it gives them only some protection, not all that they would hope. The saddest part is that what they have at the moment is probably the best they can get, after over a decade of "mature" market of inspection middleboxes, especially if they need to use Snort signatures. It's also sad that they effectively need to live relying on security through obscurity; if well-equipped nation would know what to attack inside their network or what signatures they use, their IPS solution could probably be worked around without even leaving a log trace.
There are some signs more engineering, instead of marketing material and poor benchmarking driven products are getting prominence. Snort is not really the worst of them, but high hopes as part of Cisco? I'm quite suspicious of it.
Congrats Marty!
It seems that specialised IDS/IPS vendors that get bought up by generalised players dramatically drop off in quality soon after. The generalised players just don't look after their new acquisitions as well as they ran themselves when they were independent.
It happened with ISS when IBM bought them and happened with Tipping Point when HP bought them.
Given Cisco's track record I have little faith that Sourcefire will be as good as it was.