Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

CheckPoint Acquires Snort

Posted by CmdrTaco on Thu Oct 06, 2005 12:35 PM
from the done-sniffing-each-other dept.
Security IT
bobdehnhardt writes "The Snort-announce list was burning with the news that CheckPoint has signed an agreement to acquire Sourcefire, the commercial arm of the Snort community. As part of the agreement, CheckPoint will "continue to develop and distribute Snort under the GPL, improve and document the program to stay on the cutting edge and expand the snort.org web site." Here is a message from Snort creator Marty Roesch."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

CheckPoint Acquires Snort 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • " Here is a message from Snort creator Marty Roesc (Score:5, Funny)

    by b1gk1tty (670514) on Thursday October 06 2005, @12:40PM (#13732274)
    " Here is a message from Snort creator Marty Roesch."

    I'm rich I'm rich I'm filthy f*ckin rich!
  • Even with such language, does that stop them from forking the sources and creating a new closed source program with a new name?
    • You might want to look into something called dual-licensing. The owner of the copyright can do whatever they please with what they own.

      • Re:Loopholes (Score:5, Informative)

        by monkeydo (173558) on Thursday October 06 2005, @12:58PM (#13732471) Homepage
        No, it doesn't. The owner of the copyright can stop releasing new versions under the GPL. Any code already licensed under the GPL would remain so, but nothing stops them from making all new versions closed, or something in between.

        • Re:Loopholes (Score:4, Informative)

          by FidelCatsro (861135) <fidelcatsro@NosPAm.gmail.com> on Thursday October 06 2005, @01:05PM (#13732551) Journal
          Unless they accepted patches from a third party not directly involved in the project , They would need to track down each and every person that had (and acquire their blessing) or each and every code snippet and remove it .
          This is the same problem which faces the linux Kernel if they wished to move it to the GPL3
        • Except having to chase down every person who ever submitted code, to ask for permission.
        • Nor does anything stop them from directing ongoing snort development to being a "tier B" solution (intentionally degrading the effectiveness or performance of snort) relative to their proprietary "tier A" solutions. Lots of companies do this -- they sell the same product: fully enabled at a premium prices, and partially disabled at a lower price. Many companies manfuacture the generic non-brand products "competing" with their own brands (eg. drug companies). If two products compete with each other, it's
          • "They aren't the owner, neither is Sourcefire, Martin Roesch is."

            I doubt he is the owner either. Once you GPLed your software and people added to it you no longer own the software and can't impose restrictions anymore since you'd infinge the rights of the contributors.
            • "snort" or "snort" as a software product belongs to him, or the company regardless of the licensing scheme attached to the product with the same name.

              Who owns copyrights, trademarks, all of that garbage doesn't matter much when you are talking about GPL software. In a sense you are putting everything on the line when you release GPL software but you by no means are giving away the entire farm. The copyright is yours, we've covered this [slashdot.org]! When people contribute code then their code is © them and not you.
              • "When people contribute code then their code is © them and not you."

                That's what I meant, I don't know how much of the code is his and how much is contributed that's why he deosn't own (the whole) snort -- just like Linus doesn't own Linux kernel, AFAIK.

  • makes sense (Score:4, Interesting)

    by spurious cowherd (104353) on Thursday October 06 2005, @12:51PM (#13732387)
    "We believe Sourcefire has world-class solutions for internal security through their Intrusion Sensor, Real-time Network Awareness (RNA), and Defense Center product lines.

    Checkpoint needs this type of network awareness technology to keep up with Cisco
    I know they lost my company's contract because the network admins like the way Cisco stuff integrates

    I'll start by stating again what I've stated in the past, Snort is now and will continue to be free to end-users. We will continue to develop and distribute the Snort engine under the GPL, improve and document the program to stay on the cutting edge and expand the snort.org web site. The community continues, as always, to be important to us as a group of people who use the code pervasively throughout the entire Internet, report on problems and make suggestions and contributions to the project.

    This is critical to me for many reason. It's good to see. Marty is a man of integrity & I'll bet this is in the aquisition contract

    Check Point to acquire privately held Sourcefire for a total consideration of approximately $225 million.

    Who says you can't make money from FOSS?
    Marty deserves the fiduciary rewards he'll get for all his hard work over the years

  • So CheckPoint is Snorting now is it... Do the cops now, have the DEA been called in to raid their offices.
      • I posted that before passing out at 3am after a long day at work, clearly its not my best work, and hm, i think saying i should properly quote the line in my sig is more polite than saying im deliberatly stealing it and its stupid.
  • Does that mean my father will have to pay for permission when he chuckles?

  • no big deal (Score:5, Informative)

    by qwertphobia (825473) on Thursday October 06 2005, @01:01PM (#13732503)
    This is no big deal. Snort will continue to be GPL and freely available to the world.

    I'm more worried about the recent Nessus changes, have you heard about this?
    Nessus License Change Announcement [nessus.org]

    Nessus 2 will continue to be free
    Nessus 3 will be a free of charge, binary only release

    • Closed-source penetration testing software?
      I sure won't be using that version... and I love nessus!
    • They've been headed that way ever since they did that dodgy plugin licensing thing. Anyone feel like starting a community project to make the free one better?
      • Would have been nice if the community had been contributing to Nessus before they closed the source. The only reason Tenable was able to accomplish this is because they wrote all the code. Their code means they can license it anyway they want. If there had been more significant contributions to the codebase outside of Tenable Nessus the latest and greatest version of Nessus would have remained GPL'd. Tenable would have had no choice and I think they would have been happy with that.

        And I'm going to be cruell

    • I suspect Nessus will be forked soon.

      These types of changes don't worry me. Nothing has been lost except future contributions from the original contributor.

      I don't care if someone doesn't want to work on Free Software, I only care if they take steps to sabotage it, like Microsoft.
      • You're kidding? Right? So who's going to pick up the tab to create a real lab and do full time testing for plug-ins? Or all the other QA tasks that the community has so far been unable to assist Tenable with. A fork of the codebase does nothing to get that infrastructure back.

        To say nothing has been lost is kinda naive.

  • My friend was acquired by a Checkpoint (Score:5, Funny)

    by DrugCheese (266151) on Thursday October 06 2005, @01:31PM (#13732833)
    when he tried to cross the border with snort.

  • in other news... (Score:3, Funny)

    by portscan (140282) on Thursday October 06 2005, @01:40PM (#13732917)
    checkpoint has had yet another security breach. this time, instead of all of their background records being released onto the internet, the source code of their newly acquired security tool, "snort" was released onto the internet. many have already downloaded this and started using free of charge, not to mention modifying it as they see fit and redistributing it also free of charge. this is a truly embarassing second offense for the security company.
  • I see nothing positive about Snort being acquired by CheckPoint.

    CheckPoint bought Zone Labs a couple of years ago and Zone Alarm went from being a rock solid firewall to an absolute mess. There are so many problems with the new version of Zone Alarm that their forums are filled with complaints.
  • I have snort running with BASE, for a nice NID management setup. Without the rules, not much will happen.
    There are currently three levels of access to rules, as seen at http://www.snort.org/rules/ [snort.org]

    1. Anyone can get the rule set that is released with the latest version.
    2. People who pay the big bucks ($1,795/year) can get updated rule sets as soon as they are released.
    3. A third level sits in the middle; where if you register with sourcefire you can get the updated rules five days after they are releas
  • 'Checkpoint buys Snort' - 10/10 for an arresting headline, minus several billion for good thinking. Checkpoint has bought Sourcefire, not *Snort*. That's like saying OSDN have "bought Linux" because they happen to pay Linus.

    Honestly, the "slashdot's going down hill" trolls have been making me roll my eyes pretty much as soon as I became a regular, but things like this really make me wonder :(

  • Kate Moss (Score:3, Funny)

    by Anonymous Coward on Thursday October 06 2005, @03:41PM (#13733930)
    Kate Moss unavailable for comment.
  • How much *significant* code has been contributed to Snort by people outside of SourceFire? I'm talking about things like Frag3, etc. - the underpinnings of Snort.
    • Which is why you run Snort with full packet logging mode in addition to alert mode. This way, if an alert is missed, you can still see all packets sent in an attack and build an alert from that. Just make sure you have enough storage space.

    • Re:while snort is a fine piece of software ... (Score:5, Informative)

      by b0r1s (170449) on Thursday October 06 2005, @12:58PM (#13732477) Homepage
      It's worth mentioning that it's possible to trigger on known attack VECTORS rather than just known attacks - that is, on some vulnerabilities, all possible attacks will have a single signature at some point in the packet, which WILL be triggered. Moreover, some PROTOCOLS will always have the same signature, which may be hit as byproducts of the attack (ie: if I see an IRC packet coming from a webserver, I'm going to alert no matter what port it's on, or where it's going, because it shouldn't be there, period).

      Snort can be bypassed in many scenarios, but it's still very useful.

    • Umm (Score:3, Interesting)

      by temojen (678985)
      Since most attacks are based on known techniques, it can detect a lot of new attacks, such as anything that includes:
      (lots of nulls)

      const char * what = "/bin/sh";

      where: push what;
      push EXEC;
      call syscall;

      (some junk)
      &where
      On a whole lot of architectures, regardless of port. Which means it catches just about any stack-smashing attack that's not SSL encapsulated, regardless of service and whether it's known.
      • const char *whawhat = "//bin/../bin//sh"; push SYSCALLOPCODE jmp esp for(i = 0; i bsize/2; i+=strlen("HILOOKTHISCANBEANOPTOO")); ... xor? Etc. your premise that it can catch just about any stack-smashing attack thats not SSL encapsulated is simply foolish. Snort only catches the people stupid enough to think that they can get away with copy/pasting someone elses shellcode from the 90's.
        • (sorry i shouldve previewed ;[)
          const char *whawhat = "//bin/../bin//sh";

          push SYSCALLOPCODE
          jmp esp

          for(i = 0; i bsize/2; i+=strlen("HILOOKTHISCANBEANOPTOO")); ...

          xor?

          Etc.

          your premise that it can catch just about any stack-smashing attack thats not SSL encapsulated is simply foolish. Snort only catches the people stupid enough to think that they can get away with copy/pasting someone elses shellcode from the 90's.

    • Re:while snort is a fine piece of software ... (Score:5, Informative)

      by PGillingwater (72739) on Thursday October 06 2005, @01:01PM (#13732516) Homepage
      Plus you might find that a shellcode exploit requires a shellcode sled, which can be detected. And many of the people who use Snort might not know that Sourcefire has made a major innovation with RNA -- a passive traffic analysis system which tells you what hosts are in your LAN, and what ports are being used -- kind of like NTOP, but with better consolidation and reporting.

      • Really? I tend to make my nop's some variation of 'HIYOUDONTKNOWWHATYOUARETALKINGABOUT' or 'AAAAAAAAAHCERTIFICATIONSMEANNOTHING' or 'ILUBYOUINTERNETS', which depending on the platform are very valid opcodes, care to explain to me how exactly you will catch that?

        Additionally, I am not the exception, its just that the security industry is full of people who haven't ever actually done much more than believe whatever metasploit told them, so they just don't know how easy it is to sidestep all of their signature
    • Everything happening on your network should be authorized by you. If you're worried about security, then you need to get some benchmarks of the legitimate traffic on your network so you can have the system watch for different patterns.
      • so you can have the system watch for different patterns.

        Like someone reading a different e-mail than yesterday? ;-)

        Sorry, half-joking there. The problem still is that for any somewhat complicated (i.e. real-life) network, there will be a huge volume of different patterns. You end up doing one of two things:

        * Spending huge amounts of time setting up the initial patterns and then updating them every time something small changes

        * Going to a level of abstraction where attacks can slip through, so you're no bett
        • You'll see port 80 connections to your internal webservers and to external sites ... but you shouldn't see port 80 connections to other workstations. That's a flag.

          And so on with every other port. Particularly if you have a well designed network where the workstations have no need to connect to other workstations.

          Like someone reading a different e-mail than yesterday? ;-)

          Nope. More like a workstation suddenly sending, via port 25 (SMTP), to a box outside your network. That's a huge flag.

          It's very easy to

          • Nope. More like a workstation suddenly sending, via port 25 (SMTP), to a box outside your network. That's a huge flag.

            Yeah, though you'd catch that on the firewall, not with an IDS. For anomaly based detection (which snort can do with 'spade'; I haven't tried it myself) you really want to be able to plug in logs from multiple sources - IDS sensors, internal and external firewall interfaces, etc etc. For most networks, you should be able to iterate over each sensor, f/w interface and other in my dream wo

          • You'll see port 80 connections to your internal webservers and to external sites ... but you shouldn't see port 80 connections to other workstations. That's a flag.

            It's very easy to do. You should already know what ports/protocols are in use on your network and what should be connecting on them to what. Start there and investigate any usage you didn't expect to see.

            You must work in a very small organization where this can be said to be true, or have never actually worked in a SOC-- in which case your
    • Aside from the fact that Snort rules get updated very quickly when a new 'sploit is making the rounds, what's with the all-or-nothing angle?

      Snort can be a useful item in your toolkit, adding to your protection as a WHOLE.
    • Checkpoint built their own version of Linux called SecurePlatform specifically for running their firewall, management tools, and other software. Quite often, the GUI and end user tools only ran on Windows, but the real meat-and-potatoes was usually supported on Linux.
      • Indeed. It's also theoretically possible [fw-1.de] to use FreeS/WAN and OpenS/WAN as a VPN client.

        Unfortunately, though, the SmartWhatever management console is Windows-only, and it doesn't really work in WINE. I suppose it'd be possible to edit the policies by hand, but the prospect of doing that is pretty frightening. Hence, the crufty old 2K box on my KVM switch.

        • My solution was to run SmartDashboard within win2k in Vmware in Linux. If you sprung for Checkpoint, Vmware is peanuts. And of course there is qemu, which has worked wonderfully for me so far, although i haven't tried Checkpoint stuff in it as of yet.
          • If you sprung for Checkpoint, Vmware is peanuts.

            Ha. I know it, and you know it, but try telling it to my boss. I just count myself lucky that I'm allowed to run anything I want on my workstation.

            Unfortunately, Win2k was pretty sketchy on qemu last time I checked, and I really didn't have the time to fuck with it, which is why I commandeered an old Windows machine.

    • Hi,

      we evaluated the SSL network extender and it worked fine with Linux. It's not a full flavored SecureClient but will suffice for most uses.

      Regards, Martin

    • What rock have you been under? If you like to keep up on network admin tools, then you are way behind. I first heard of Snort in 2001 or 2002. Snort runs on my IPCop firewall and scans for baddies trying to get in.

      Hell, they are past version 2.4 and you are just NOW hearing about it? Holy crap!

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.