Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT

Is Open Source SNORT Dead? 127

alphadogg writes "Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead? The Open Information Security Foundation, a nonprofit group funded by the US Dept. of Homeland Security to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars. The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled."
This discussion has been archived. No new comments can be posted.

Is Open Source SNORT Dead?

Comments Filter:
  • Yeah (Score:1, Flamebait)

    by Idimmu Xul ( 204345 )

    Yeah, it's dead. HTH.

    • What I like is not the fact that it's "dead". I like the fact that the twitter feed for that article is picking up anyone who snorts on Twitter. Yay computer security, bringing the unwashed masses together!

  • No way (Score:5, Funny)

    by gparent ( 1242548 ) on Wednesday July 21, 2010 @08:10AM (#32976628)
    Netcraft hasn't confirmed it yet.
  • It's not dead. (Score:5, Insightful)

    by saintlupus ( 227599 ) on Wednesday July 21, 2010 @08:10AM (#32976630)

    Snort is nowhere near dead - it's still used in tons of production environments, especially in higher ed (where we've always got plenty of Unix nerds on hand, and never have any money).

    I would imagine Marty's objections probably have something to do with his desire to move people from Snort to the commercial IDS offerings from Sourcefire. That easy upsell doesn't exist if people start off on another product.

    --saint

    • Re: (Score:3, Interesting)

      by Arathrael ( 742381 )

      I suspect in a lot of places where Snort is used, it's mostly just sitting there quietly generating thousands of mostly '(http_inspect) DOUBLE DECODING ATTACK' alerts and being completely ignored. It's easy enough to set it up, but out of the box it typically generates an awful lot of noise in the form of largely useless alerts, so it takes some configuring (and understanding of exactly what those alerts are) to get it to a point where it's really useful.

      And yes, I reckon that the commercial aspect to Snort

      • Re: (Score:2, Insightful)

        by alexborges ( 313924 )

        "Out of the box" IDS's are crap.

        IDS and IPS is a process that needs a human analyst. Pretending that software will adapt and respond to attacks by humans is just the wrong way to go about the network security issue. In that area, nothing beats snort: it is THE best tool for a good analyst to do the best possible job.

    • by mcgrew ( 92797 ) *

      From TFA: "Snort is not conducive to IPv6 nor to multi-threading, And Snort 3.0 has been scrapped."

      I'd say Dr. Kevorkian is on his way, unless someone picks the project up and forks it. That's one of the beauties of open source; when Microsoft stops support of XP, XP is dead. When any FOSS developers stop support, anybody with the necessary skills can revive it.

      • Re:It's not dead. (Score:4, Informative)

        by saintlupus ( 227599 ) on Wednesday July 21, 2010 @12:37PM (#32980184)

        According to Marty, when asked about IPv6 support at this year's EDUCAUSE Security conference, Snort will happily inspect IPv6 traffic if you configure the HOME_NET to be an IPv6 network.

        There's no explicit option to turn it on, because it shifts from v4 to v6 when the rest of the configuration is set up properly. This subtlety seems to elude people. Well, either that or the guy who initially wrote the software doesn't know how it works.

        --saint

    • It is "used" so that companies can check the "have IDS" box during audits. It is ignored, because it generates too many false positives.

      • The same could be said of any commercial IDS creating false positives too.
        I like snort because it is pretty easy to create my own rules to look for traffic I am interested in and to raise an alarm. We use a Cisco IDS for the "checkbox filling" part as it fills a checkbox with fewer questions asked, but I use snort as well because the analytical support it has provided over the years has been great. It's also a great way to answer some of the after-the-fact questions that get raised, just run snort on an ol
  • Is this a fork? (Score:2, Insightful)

    by Anonymous Coward

    Is this a fork or is DHS replicating Snort without copying the code?

    Why is it that I have a queasy feeling in my gut about network security tools supplied by DHS?

  • So what alternatives do /. recommend? Open source preferred.
  • "Rip Off"? (Score:2, Interesting)

    by Anonymous Coward

    Seriously? Having use Suricata...a lot...I can tell you it's much of what SNORT should have become. A rip off it is not. Multi-threading alone is a God-send.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Yet they went from 0 to done in a year with 1 million dollars? Meaning 2-4 devs/testers/managers for 1 year. With all the same features as snort and then some. Meaning they took snort and extended it. Then instead of folding those changes back into snort are claiming it as their own. A million dollars sounds like a lot. However, at contractor rates its not much.

      Forks are fine and all. However, they are making it like their base code is 'dead' so they get more eyeballs for 'their' base code. All in a

      • Why fold their changes back? As long as the code is released GPL, it's a waste of their time to try to go "backards" with their updates to the code. Let the snort guys do that if they want to.

      • I dont think suricata is a fork of snort.

    • by Sancho ( 17056 ) *

      The reports I've seen have Suricata performing much more slowly than snort, even with multiple threads.

  • Great summary quote (Score:4, Informative)

    by MikeBabcock ( 65886 ) <mtb-slashdot@mikebabcock.ca> on Wednesday July 21, 2010 @08:12AM (#32976660) Homepage Journal

    For people who don't read the article:

    Suricata's top speeds today may be slower than Snort's. Jonkman is citing Suricata at 8 to 10 Gbit/sec and Roesch cites Snort at 50 Gbit/sec, with both acknowledging a lot of range due to platform use. But beyond that, Roesch says Suricata is basically a "sub-set of Snort's functionality at a fraction of its performance." He even calls Suricata a "clone of Snort" as it uses Snort signatures. The OISF's description of Suricata does include how to use Snort signatures with Suricata and transition off of the Snort platform.

    "They've produced a clone of Snort that performs worse at taxpayer's expense," Roesch says. "They haven't advanced IDS."

    So, the taxpayer paid good money to develop a slower and less functional version of an already open-source product. Brilliant.

    SELinux was a good investment of taxpayer dollars. This was not, as far as I can tell.

    • by Hylandr ( 813770 ) on Wednesday July 21, 2010 @08:22AM (#32976774)
      Having been a Navy contractor in just this exact field, my experience with govt / military jobs indicates to me that this is a lot of stovepipe rooster crowing.

      Self important BS Hype to justify the tax dollars and get the pats on the back. The positive comments here for this 1.5m hack of snort is more than likely astro turfing. Up until now, I haven't even heard of Suricata.

      Can someone provide a link where this has been in some mainstream IT circles being debated as Beta release candidates were released etc?

      - Dan.
    • Re: (Score:3, Informative)

      Of course, Jonkman does not mention any features that Suricata has, which Snort does not, like multithreading...

      • Re: (Score:3, Informative)

        by Sancho ( 17056 ) *

        Multithreading is really only a feature if it gets you some benefit (usually that benefit is increased performance.) There are reports which mirror my own findings that indicate that Snort performs much better on one core than Suricata. Snort's Vulnerability Response Team has a blog post that just went up on this exact subject--of course, they have a vested interest in promoting Snort.

        http://vrt-sourcefire.blogspot.com/2010/07/innovation-you-keep-using-that-word.html [blogspot.com]

        The same physical machine ran Suricata

    • Re: (Score:3, Insightful)

      by LWATCDR ( 28044 )

      I do not know if that is a fair conclusion.
      Snort is single threaded.
      Suricata supports multi-threading.
      So with Snort you are tied to a single core. Not an ideal situation today.

      This is starting to look a lot like KDE vs GNOME security throw down.
      Snort has been stalled for a while. It is a great program but is not adding any new features.
      Suricata is a new FOSS security system. If nothing else competition will make both of them better.
      And as to the waste of money? Well maybe it was but I do not think so. If n

      • Re: (Score:3, Informative)

        by Sancho ( 17056 ) *

        Snort runs pretty fast, even if it only uses one core. If you can split your traffic, you can also run two instances of Snort on the same box. Not an ideal solution, but it's an option.

        Once Suricata starts getting better performance, I'll re-evaluate it. For now, in our environment, Snort still outperforms it on the hardware which is within our budget.

        • by LWATCDR ( 28044 )

          But isn't it nice to have options?
          And if nothing else it may encourage Snort to be even better.

          • Re: (Score:3, Interesting)

            by Sancho ( 17056 ) *

            Absolutely. But usually, you need to be pushing the envelope in order to get your competitors to do the same. Suricata isn't there yet, so Snort can still rest on its laurels.

            • by LWATCDR ( 28044 )

              But they went from zero to here in around one year. The have got multi-threaded support as well in one year.
              I have heard and read from some people that they are already moving to Suricata because they think it has a better future than Snort or because they like some feature that it has.
              Also it is now get some developer attention as well so it may become a good competitor.
              I just don't see what all the venom is about. My guess and it is just a guess is this.
              Sourcefire has made good money off IDS and other sys

              • by Sancho ( 17056 ) *

                But they went from zero to here in around one year.

                With a large portion of the design already done for them.

                I have heard and read from some people that they are already moving to Suricata because they think it has a better future than Snort or because they like some feature that it has.

                Snort has been saying (for a long time) that 3.0 with threads would be coming really soon now. I think that a lot of people are jumping to Suricata because of that, as well as because of the fact that they consider it more "open." Time will tell, but I'm not going to jump ship until they have something that competes with Snort.

                I just don't see what all the venom is about.

                Venom from Sourcefire? I think it's definitely that they are siding with their product.

                Venom from admins? Probably just like you said--football-team mentality.

                Personally, I use the best tool for the job, which means that I have some Windows, Mac, and Unix machines. I use Snort for IDS until Suricata becomes the best tool (if that ever happens.)

                I might play with Suricata at home, but I'm not staking my job on it.

                • by LWATCDR ( 28044 )

                  I do not know that a "large" percentage of their design work was done for them.
                  This does not seem to be a fork. Yes they are using the same method of detection but that is like saying GIMP had a large amount of their design work done for them because it uses a lot of the same methods as Photoshop "and any number of other image processing programs".
                  Just moving to a multi-threaded engine is a huge change.

                  As to jumping ship... Well that would be dumb IMHO
                  Snort still does what you and it would seem most other p

      • Re: (Score:3, Interesting)

        by MikeBabcock ( 65886 )

        Multi-threading a stream isn't implicitly better. A lot of the work for analyzing a packet stream needs to be single-threaded anyway (or have a lot of locks, eliminating multi-thread benefits) because the packets are coming in one at a time.

        Even if you were to break up the incoming packets into streams, then spawn or call a worker thread to handle each stream independently, you'd quickly become resource-bound (due to large numbers of simultaneous streams).

        This isn't even remotely like KDE vs. Gnome. Neith

        • by LWATCDR ( 28044 )

          Please stop the literal net. Yes I know that Gnome isn't a fork of KDE. But the picking sides in this case reminds me of the bad manners I see in Gnome vs KDE threads.

          As to implicitly better or not we will have to see. What is so annoying is this circle the wagons and name calling mentality that is going on.
          Snort is a great program. This is a competitor and brings some interesting new tech to the table.
          Competition is a good thing Snort may improve because it now has some competition.
          I am sure not going to c

          • You've twice called it better without any testing showing that it is, and all implications so far being that it isn't.

            The literal net was because you've been trapped in some reality distortion field. The name calling started by the forking group (claiming Snort was dead) which I'm sure anyone would take offence to.

            To be argumentative, there's no implicit need for competition in open source. Its open source. Just submit patches. There's no implicit benefit to the competition either, since its typically a

      • by GrpA ( 691294 )

        I use SNORT to monitor a large multi-department government network.

        To be honest, the figures quoted are unrealistic to the extreme - likely produced by tests that didn't have any basis in the real world.

        With enough connections and patterns, just over 100 Mbps is more than enough to bring SNORT to it's knees, running a single thread at 100% for about 9 hours a day, with 30% of traffic simply not inspected at all. On the fastest PC I can find. To reduce the load, we've had to stick the IDS behind the firewall

    • This was not, as far as I can tell.

      Yet.

      The keyword is yet.

      SELinux was a shitty investment ... right up until the point where it became useful.

      You don't start instantly doing better than your competition, thats simply not the way it works.

      It does, to me, seem silly to recreate the wheel and keep it GPL. If my tax dollars are going to be spent I expect I more permissive license to be used.

      I'm not okay with paying to have someone write GPL software with my tax money. I'll accept BSD, MIT, Apache, X11 and pub

      • by tuomoks ( 246421 )

        You are right about "yet" and SELinux. But why against GPL - don't you want get something for "your" money? GPL guarantees that any changes / advancements / etc for a product will come back (if used commercially / distributed) when other (not all!) licenses mean that some company / corporation (Microsoft, Oracle, ??) can take the product which was developed by "your" money, start making money for themselves and you have one product which doesn't get developed anymore? Sometimes I don't understand this think

  • So in short (Score:5, Insightful)

    by Anonymous Coward on Wednesday July 21, 2010 @08:14AM (#32976680)

    Okay, so a competing product comes out, they declare their competitor is dead, said competitor says "i'm not dead yet" and accuses them of being a cheap knockoff. Both sides continue to point out flaws or perceived flaws and throw FUD at each other.

  • If you go to the page, 2.8.6-1 was released in April of this year [snort.org]. I guess that's a sign of recent life. Granted, 3.0 appears to be a year before that [snort.org]. I don't think competition between two open source projects is a bad thing. Hell, it's great for the end users. Roesch claims OISF's tool is way slower than SNORT. So let the two fight it out and reap the benefits.

    I think the most serious claim against SNORT came at the end of the article:

    "Sourcefire controls the intellectual property and the update cycle for changes. They use the install base of Snort to market their commercial solutions," Stiennon says. "I am not saying that is a bad thing for Snort users but it is limiting to the overall development of threat mitigation technology from the open source community."

    If that's true, that is not cool. I hate it so much when I'm just trying install PDFCreator or some other GPL'd tool and part of the install process involves a default click box to also install Yahoo's toolbar in all my browsers. It's great to see companies back particular open source projects but I do not care for companies that take hold of the reigns and/or use it to propagate their own proprietary tools. It's one of the reasons I'll consider Flex better than Silverlight but never will I consider it open source despite the SDK source being available. It's got vendor lockin associated with it.

    • by martyroesch ( 589524 ) on Wednesday July 21, 2010 @08:58AM (#32977222) Homepage

      That's not true, Snort development continues in the open and contributions are still taken from the community. We don't use the community to market our commercial solutions at all, in fact we have strict prohibitions against marketing commercial solutions on the Snort mailing lists.

      Stiennon takes the next wrong step by saying that we're preventing the ENTIRE OPEN SOURCE COMMUNITY from developing threat mitigation technology. Completely wrong. You can still add your own patches to Snort either as a contribution to the project or as an external patch, Sourcefire does nothing to prevent that.

      We also don't require that you install anything other than Snort when you grab it from snort.org, getting and installing Snort today is just like it was before Sourcefire started. If you don't have the problems that Sourcefire solves (scalability and manageability for the mid to large enterprise) you'd probably barely notice we're out there.

    • by Animaether ( 411575 ) on Wednesday July 21, 2010 @08:58AM (#32977224) Journal

      I hate it so much when I'm just trying install PDFCreator or some other GPL'd tool and part of the install process involves a default click box to also install Yahoo's toolbar in all my browsers. It's great to see companies back particular open source projects but I do not care for companies that take hold of the reigns and/or use it to propagate their own proprietary tools.

      Aren't those Yahoo! Toolbar, Google Toolbar, Google Earth, Ask.com default homepage, StarOffice etc. options implemented by the developer by choice in order to get a kickback (some fractions of dollars, I suppose) - rather than the companies behind these solutions 'taking hold of' the projects and inserting them?

    • by CAIMLAS ( 41445 )

      Indeed. In fact, using similar qualifiers of "dead", the following projects are "dead" as well:

      * Samba (minor/bug releases in 3.5 last month; samba 4, which has been in development since the beginning of time, is still "alpha")
      * Apache (we've been at 2.2 for how long now? 2.4 is nowhere in sight).
      * Linux (2.6 is something like 6 years old now; the architecture is old and dated despite evolutionary changes. No plans for a 2.8 or 3.0. )
      * gnome2/gtk2 (THese haven't seen any significant change in probably close

  • WTF? (Score:1, Troll)

    by rgviza ( 1303161 )

    The linked article wins the title of Dumbass Article of the Week.

  • by PolygamousRanchKid ( 1290638 ) on Wednesday July 21, 2010 @08:18AM (#32976744)

    The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program . . .

    Open Pork!

  • by Capt James McCarthy ( 860294 ) on Wednesday July 21, 2010 @08:20AM (#32976754) Journal

    "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. "

    You make the call.

  • ls is dead (Score:5, Funny)

    by vlm ( 69642 ) on Wednesday July 21, 2010 @08:22AM (#32976776)

    In other news, the ls command is also dead. When was the last major functional change for ls? When was the last time you saw a major support contract signed for the ls command? Note that I am accepting $1M contract offers to implement the next generation directory listing program, which I will be naming dir.exe, although I haven't decided whats more trendy, enterprise Java, ruby on rails, or maybe erlang?

    • although I haven't decided whats more trendy, enterprise Java, ruby on rails, or maybe erlang

      Most trendy to use Lua so you can check your files right inside WoW.

      • Re: (Score:3, Informative)

        by skids ( 119237 )

        Hey, say what you will about Lua, for example "who in their right mind uses 1-based array indexing", but at least it has coroutines, which is more than lots of languages can say for themselves.

        • Re: (Score:1, Funny)

          by Anonymous Coward

          Yeah but who in their right mind uses 1-based array indexing?

        • Hey, say what you will about Lua, for example "who in their right mind uses 1-based array indexing", but at least it has coroutines, which is more than lots of languages can say for themselves.

          Fortran? Pascal? Just because C-style 0-based indexing is most common doesn't mean it's the only thing that makes sense.

    • Re:ls is dead (Score:5, Insightful)

      by blincoln ( 592401 ) on Wednesday July 21, 2010 @08:33AM (#32976908) Homepage Journal

      When was the last major functional change for ls? When was the last time you saw a major support contract signed for the ls command?

      When was the last time the landscape of Unix-style directory listings changed significantly? Security-related products need to constantly adapt to new types of threat as well as new variations on older types.

      Think about how much the world of computer security has changed over the last couple of decades. When I had my first dialup shell account with internet access, the idea that there would be a major black-market industry for professionals writing malicious code was literally science fiction.

      Meanwhile, the standard Unix-style directory listing still seems to work fine for most people. I haven't looked into the more specialized (SELinux) variations, but I imagine if there were significant changes to the Unix filesystem security model (e.g. if very complicated NTFS-style permissions were implemented), then ls would probably be significantly extended so that it would accurately represent the additional information.

      • Re: (Score:3, Insightful)

        by drinkypoo ( 153816 )

        I imagine if there were significant changes to the Unix filesystem security model (e.g. if very complicated NTFS-style permissions were implemented), then ls would probably be significantly extended so that it would accurately represent the additional information.

        POSIX.2 allows for ACLs and all major Linux filesystems (Among others, but that's my current area of expertise in computing) have support for them. No mention of "acl" or "ACL" in the manpage for ls.

        • By coincidence, I happened to notice this yesterday:

          C:\>ls --help
          Usage: ls [OPTION]... [FILE]...
          List information about the FILEs (the current directory by default).

          ls version 4.3.169 2005/09 for Microsoft Windows.
          Microsoft Windows extensions by Alan Klietz
          Get the latest version at http://utools.com/msls.asp [utools.com]

          -a, --all do not hide entries starting with .
          -A, --almost-all do not list implied . and ..
          --acls[=STY

        • by Rysc ( 136391 ) *

          Try the info pages maybe? In fact the output of ls -l could be altered to include ACL information, but it would not be very practical as there could be a lot of it. I wouldn't be opposed to some kind of sigil indicating "ACLs exist for this file" - that would be useful, then I could know to getfacl for details.

        • by jandrese ( 485 )

          The next field contains a plus (`+') character if the file has an ACL, or
          a space (` ') if it does not. The ls utility does not show the actual
          ACL; use getfacl(1) to do this.

          This is from ls(1) on FreeBSD 7.3-STABLE

      • Re: (Score:3, Insightful)

        by amorsen ( 7485 )

        (e.g. if very complicated NTFS-style permissions were implemented)

        They are, it's just that nobody uses them. Well except me. Linux with ext3 has had them for ages, and e.g. HP-UX had them in '94 -- probably earlier, but that's when I used them for the first time.

        ls doesn't do much useful with them on Linux though. You need getfacl/setfacl for that.

        • They are, it's just that nobody uses them. Well except me.

          Nobody uses them on Windows either (past accepting the defaults), so you are special. Just like mom told you. ;-)

          Getting back to the original off-topic topic, I'm wondering how you'd think 'ls' could display ACLs and maintain standard columnar output. The fact that you can't get a simple, clear, easy to understand and use octal representation, for example, is, I think, one of the many reasons people stay away from them.

          • by jandrese ( 485 )
            Every time I see someone try to secure a Windows system by revoking "unnecessary" ACLs, they invariably render the system worthless and are forced to reinstall. Windows ACLs may look reasonable on the surface, but they are subtle and vindictive little bastards.
      • by Jorl17 ( 1716772 )
        Good way to refute his argument. The thing to learn is: "Analogies suck, stick to something better". Yeah, I love the vague "something better" as well.
  • Snort's just fine (Score:5, Insightful)

    by guruevi ( 827432 ) on Wednesday July 21, 2010 @08:23AM (#32976788)

    It may not be developed on very actively but that's because it doesn't need to be. It does everything it needs to do and for the rest, the community and any capable sysadmin can make their own rules. At some point the product is finished and all you can do is bugfix it. Adding features makes stuff bloated and is only necessary if you need to sell the stuff in a commercial setting. That's the power of open source, once a product is finished, it's done with. Eventually somebody will rewrite it (if the code is really bad) or make it run better (if architectures change) but a well-written program won't need either in the near future.

    Look at the rsync library. The only thing that was fixed recently is a 64-bit handle to allow for files larger than 4GB to be handled. I don't believe the original programmer is even around anymore to fix stuff on it since the 4GB patch is not included in the official rsync distribution. But it's still widely used without any problems, works as intended and isn't going away soon.

    • Re: (Score:3, Informative)

      What, Tridgwell isn't accepting patches? Someone call UNSW!

    • One's right to life, liberty, property, speech, press, freedom of worship and assembly may not be submitted to vote

      Are you certain about this? Perhaps we should have a poll about this.

      -- It may be flamebait, but it's funny.

  • If there is one thing that is terrible for prompting innovation it's competition. I predict both programs will fade into obscurity within 6 months.

  • by savanik ( 1090193 ) on Wednesday July 21, 2010 @08:37AM (#32976948)

    .... is pretty much DOA.

    Speaking as a security professional, we could REALLY use multi-threaded support in our Snort deployments, and the last time I heard 'multi-threaded support is just around the corner' was in 2008.

    Right now, the fact that one Snort instance runs as one process linked to one interface in your ethernet stack means that only one core can run it. And with us hitting the plateau in computing speed on a per-core basis, and traffic still increasing, multi-threaded support had better show up in the next couple of years at the latest or I'll have to find some other network-based IDS product, at least for some extreme instances.

  • by technoid_ ( 136914 ) on Wednesday July 21, 2010 @08:47AM (#32977070) Homepage Journal

    Just a heads up. The North Texas Snort Users Group is being revived. I have nothing to do with it, but heard about it at the North Texas Linux Users Group (NTLUG) meeting.

    Check out nt-sug.org. [nt-sug.org]

    Technoid_

  • by martyroesch ( 589524 ) on Wednesday July 21, 2010 @08:50AM (#32977120) Homepage

    I should know, I wrote it.

    Snort is developed at Sourcefire these days, the company I started and where I still serve as CTO. I am the lead developer on the Snort 3.0 project right now which is undergoing restructuring after the initial few releases showed performance issues that we weren't ready to live with.

    Snort 2.x is developed by Sourcefire's engineering team, we release several updates a year to the code and updates to detection almost weekly via the Sourcefire VRT. I don't work on the 2.x code base day to day anymore but I do contribute from time to time. Snort 2.9.0 is slated for release this fall and continues 12 years of development on the engine technology which includes some significant innovation in the field of intrusion detection.

    My issue with Suricata is that it has implemented the exact same *detection model* as Snort, it does nothing new from a detection standpoint but wraps it in a multithreaded framework that they're trying to call innovation all on its own. True innovation would be to develop a new way of detecting threats on the wire and they haven't done that, they effectively have implemented the same idea as Snort (processes Snort rules, buffers streams into chunks before processing, etc) on a slower software platform. They implemented what is effectively a Snort fork and did so at taxpayer expense, they got the government to pay them to develop something that the government already gets for free (Snort's detection model) with less features and lower performance.

    Someday Suricata might be a really interesting engine but to go out to the press in a concerted push and advance the idea that "Snort is dead" reflects a stunning amount of hubris and wishful thinking. Snort is the most widely deployed IDS/IPS on the planet, there have been millions of downloads and there are hundreds of thousands of registered users and the community is still growing steadily. Snort's engine development is still moving forward and we have plans to continue to innovate in the field of intrusion detection. If the Suricata team wants to displace it they have a tremendous amount of work to do, they're not even close yet.

    • Re: (Score:1, Informative)

      by Rogerborg ( 306625 )

      Here's the difference, Marty.

      When I go to SourceFire, I see plenty of ways for me to investimentise in my partneritude, but I can't for the life of me seem to find the source of your "open source" product.

      When I go to Suricata, the source link is right there on the front page.

      • by rotide ( 1015173 ) on Wednesday July 21, 2010 @09:40AM (#32977748)

        Did you even look at the downloads page?:
        http://www.snort.org/snort-downloads [snort.org]

        Second link is "source".

        If you want the 3.0 source go to:
        http://www.snort.org/snort-downloads/snort-3-0/ [snort.org]

        Maybe these weren't the sources you were looking for?

        • When I wrote "SourceFire site", you read "snort.org" because...?
          • by h4rr4r ( 612664 )

            Because you went to the wrong website. That one is just for commercial support, they keep it separate to show their seriousness about FREE software.

            • There are lots of commercial software sites which give the link to their community edition directly on their main web page. If they were "serious" they would do that too.
          • by X.25 ( 255792 )

            When I wrote "SourceFire site", you read "snort.org" because...?

            Are you going to keep showing how stupid you are, or you think it's time to stop?

            Please go to http://www.ibm.com/ [ibm.com] and try to find their opensource projects on the front page.

          • When I wrote "SourceFire site", you read "snort.org" because...?

            When you wanted to get source code for snort, you went to SourceFire's web page because...?

            • because he had never heard of snort before and his sourcefire sales person came wondering buy and told him how good it was. Except they probably rather concentrated on the IPS features and he never even realised that snort was under there.
              • Yeah - I'm sure Sourcefire listing Snort as a product and providing a link to snort.org on the product page was all very confusing. But then, when a sales person starts to wonder, you know you're in trouble if you wander along side him.

      • Re: (Score:2, Redundant)

        That's because you went to the commercial site. Try going to the Snort site, and click on the big "Download Snort" link. I'll even provide the URL here:

        http://www.snort.org/snort-downloads [snort.org]

        It's right under the "Source" heading. Not really hard.

      • Re: (Score:1, Troll)

        by X.25 ( 255792 )

        Here's the difference, Marty.

        When I go to SourceFire, I see plenty of ways for me to investimentise in my partneritude, but I can't for the life of me seem to find the source of your "open source" product.

        When I go to Suricata, the source link is right there on the front page.

        I know that using a brain is hard, so I am always willing to help.

        So, here is what you do:

        1) Go to http://www.snort.org/ [snort.org]
        2) Click on "Download Snort" icon
        3) Download Snort

        Yeah, I know, it was hard.

      • Re: (Score:3, Funny)

        by Gerald ( 9696 )

        I went to linux.com and for the life of me I can't find any Linux source code. You're right. These people are losers.

    • I will agree with you from the standpoint that SNORT is not dead and that it was / is very innovative in the IDS/IPS Space, however, Suricata seems to me to have simplified some things for those who are using the product. From web page layout to finding the exact source code that is currently in production. So from a logistical(?) standpoint finding what you want with Suricata is or seems much easier than SNORT. In addition, true multithreaded handling is an innovation from the standpoint it now balances am

    • Re: (Score:2, Informative)

      by seek3r ( 165710 )
      I have to agree that Snort is not nearly dead. The team at Sourcefire is working to improve the capabilities of both the open source Snort and the commercial product. With the integration we have put together with NTOSpider [ntobjectives.com] (web application security scanner) where NTOSpider is able to generate custom Snort rules for web application vulnerabilities it discovers, this can make Snort a reasonable Web Application Firewall (when in block mode) for accomplishing virtual patches to completely custom web apps. As t
    • Why are you so defensive then?

      I use Snort, you're right, I'm not going anywhere any time soon, but why are you so defensive over it.

      They added multithreading, which you have not, and otherwise you say they are the same (who am I to argue with the guy who wrote one of them). That does indeed sound like an improvement (assuming its not a horrid implementation).

      You used a source code license that permits forking and someone did it and released it with some info about it and you're getting upset.

      So they did wh

    • Note slashdot username martyroesch, and as it's a six digit UID it can't be some fool that just picked it up today. Here's what Wikipedia says [wikipedia.org] about the parent poster:

      Martin Roesch
      From Wikipedia, the free encyclopedia
      Jump to: navigation, search
      Martin Roesch founded Sourcefire in 2001 and serves as its Chief Technology Officer. A respected authority on intrusion prevention and detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 17

    • by LWATCDR ( 28044 )

      Let's start off with the simple fact.
      Snort is a great piece of software.
      But frankly you seem really mad and full of venom.
      I have never heard anything negative about Snort from the producers of Suricata. I have not seen any news stories about Snort being dead.
      What I have heard is Snort 3.0 is no where to be seen. Not a terrible thing since Snort 2.x works just fine.
      Unlike a lot of people on Slashdot I think it is great that you took an FOSS tool that you created and made a living supporting it.
      But your post

    • Wow 12 years. It's been a long time. Curiosly enough back in my last university year (2001), as a final project for the telecommunications degree, I simply took your great Snort program (i do not remember the exact version, maybe 0.9) and patched it so Snort could take advantage of multiprocess and multithread configurations, so multiprocessor (no multicore at those days) machines could use all the available processors when processing network traffic. It was a trivial solution, since parallelization was car
  • Angry (Score:3, Insightful)

    by C_Kode ( 102755 ) on Wednesday July 21, 2010 @09:00AM (#32977258) Journal

    Martin sounds angry. Suricata is new, I wouldn't expect it to blow away the competition at such an early stage. High speed/quality IDS/IPS isn't something that you can xerox off new competitors in 15 minutes. I suspect it's like Firefox's new scripting engine. It was initially slower than the old one, but with time it will overtake it.

    Martin makes his money off Snort and doesn't want other free software encroaching on his livelihood. Well Martin, maybe you should put forth more effort into Snort rather than just resting on your laurels.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      Sounds more like Martin is clearing up some of the FUD. FUD spread by the Suricata camp....much like M$ spreads FUD against linux, etc.

  • Ever notice? (Score:2, Insightful)

    by Anonymous Coward

    Ever notice how funded "non-profits" and new commercial efforts always start by declaring the open source version "dead"? That's a bit like Tesla motors coming out and declaring Ford dead. Whether or not it is true that "Ford is dead", the "competition" has a serious conflict of interest and is in no way qualified to make the declaration. In fact, their need to make such declarations indicates that it is actually far from true.

    A better wording for the OISF:
    "We think our product is better and we wish Snort w

  • by Qubit ( 100461 ) on Wednesday July 21, 2010 @09:37AM (#32977716) Homepage Journal

    I'm forced to post something in this thread to throw away an accidental mod of "Troll".

    If the moderation box gets focus for any reason, it's going to fire off and moderate the person once you exit it. No ifs, ands, or buts.

    So here I am, having to throw away 4 or 5 reasonable (well, I thought so, anyway) mods to this article in order to not unfairly peg someone as a Troll.

    Plus I have to write this lame post. I mean, who wants to see this lame post?

    Sincerely,
    -- Us

  • So...some say it's alive, some say it's dead.

    Obviously the only answer is removing the head or destroying the brain.

  • GPLv2 Plus "Non-GPL" (Score:3, Interesting)

    by PSaltyDS ( 467134 ) on Wednesday July 21, 2010 @09:45AM (#32977810) Journal

    From the OISF Download page:

    "The Suricata Engine and the HTP Library are available to use under the GPLv2."

    Followed on page 2 of same by this:
    "Membership in the OISF Consortium Group provides a non-gpl limited license for the Suricata IDS engine in return for ongoing support. There are multiple tiers available for consortium participation that simplify the varying levels of support and involvement possible for all types of interest. Contributions may range from man hours in development assistance, technology donations, hardware and infrastructure, to financial assistance."

    I get that if the code is their copyright, they can dual license at will. But doesn't the above mean any contributions from either a community or "Membership" cannot themselves be GPL, since any code accepted will in turn be distributed "non-gpl" among the membership? Also, are there "multiple tiers" of "non-gpl limited license"?

    • Re: (Score:1, Informative)

      by Anonymous Coward

      Contributors need to sign the Contribution agreement. It can be found here. http://www.openinfosecfoundation.org/index.php/contributors

      --
      User hereby irrevocably and perpetually assigns, transfers, conveys and sets over to OISF, and OISF hereby accepts the assignment, transfer, conveyance and set over, User's entire worldwide and perpetual right, title and interest in and to the Materials including but not limited to all Intellectual Property Rights in the Materials. User will give OISF or its designee all a

    • This is probably why OISF is taking a dump on Snort, it's a trick to get attention to their soon-to-be-commercial product !!
    • by zefrer ( 729860 )

      "I get that if the code is their copyright, they can dual license at will. But doesn't the above mean any contributions from either a community or "Membership" cannot themselves be GPL, since any code accepted will in turn be distributed "non-gpl" among the membership? Also, are there "multiple tiers" of "non-gpl limited license"?"

      I think you misunderstood. If you obtain a copy of the source code that is licensed and distributed as GPLv2, as they claim to make available, and you then make a patch for that code then your patch must also be available under GPLv2. Otherwise there would be a license violation.

      On the other hand, if you buy support, they will give you the source code under a non-gpl license which they have every right to do since they own the copyright for the original source. This can not contain any GPLv2 only code (unle

    • Re: (Score:3, Informative)

      by BitZtream ( 692029 )

      And this is handled all the time by saying 'when you contribute code, you transfer the copyright to us' and then its over.

      • Roger that. An AC posted the relevant part of the Contribution agreement above:
        "User hereby irrevocably and perpetually assigns, transfers, conveys and sets over to OISF, and OISF hereby accepts the assignment, transfer, conveyance and set over, User's entire worldwide and perpetual right, title and interest in and to the Materials including but not limited to all Intellectual Property Rights in the Materials. User will give OISF or its designee all assistance reasonably required to register, perfect, enfo

    • "The Suricata Engine and the HTP Library are available to use under the GPLv2.
      [...]
      Membership in the OISF Consortium Group provides a non-gpl limited license for the Suricata IDS engine in return for ongoing support."

      Mix the two and what you get is:

      1) Suricata is open to "tivoization" (which is quite a concern for a kind of software that naturally tends to be offered in a "black box" model).

      I don't think I'll consider Suricata on my environment any time soon.
      2) In order to be part of the community you shoul

  • Snort's Better (Score:2, Interesting)

    by helix2301 ( 1105613 )
    Snort is not dead Snort is a superior tool for network detection. Snort can be ran as a simple dump tool all the way to integration a MySQL database for analyst. Companies build snort into there tools like AlienVault and many others. Snort is a veteran tool that can do packet sniffing, packet logging and full-blown IDS. Snort can also be used with other veteran tools like Barnyard and Sguil. Suricata looks like a great product but it's not Snort.

Pascal is not a high-level language. -- Steven Feiner

Working...