Is Open Source SNORT Dead? 127
alphadogg writes "Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead?
The Open Information Security Foundation, a nonprofit group funded by the US Dept. of Homeland Security to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars.
The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled."
Great summary quote (Score:4, Informative)
For people who don't read the article:
So, the taxpayer paid good money to develop a slower and less functional version of an already open-source product. Brilliant.
SELinux was a good investment of taxpayer dollars. This was not, as far as I can tell.
From the OISF site... (Score:4, Informative)
"The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. "
You make the call.
Re:Great summary quote (Score:3, Informative)
Of course, Jonkman does not mention any features that Suricata has, which Snort does not, like multithreading...
Re:Snort's just fine (Score:3, Informative)
What, Tridgwell isn't accepting patches? Someone call UNSW!
North Texas Snort Users Group (Score:4, Informative)
Just a heads up. The North Texas Snort Users Group is being revived. I have nothing to do with it, but heard about it at the North Texas Linux Users Group (NTLUG) meeting.
Check out nt-sug.org. [nt-sug.org]
Technoid_
Re:Nonsense (Score:2, Informative)
A million dollars in government money actually only buys you about $1000 in actual work.
Re:Confusing Story Considering Snort's Activity (Score:5, Informative)
That's not true, Snort development continues in the open and contributions are still taken from the community. We don't use the community to market our commercial solutions at all, in fact we have strict prohibitions against marketing commercial solutions on the Snort mailing lists.
Stiennon takes the next wrong step by saying that we're preventing the ENTIRE OPEN SOURCE COMMUNITY from developing threat mitigation technology. Completely wrong. You can still add your own patches to Snort either as a contribution to the project or as an external patch, Sourcefire does nothing to prevent that.
We also don't require that you install anything other than Snort when you grab it from snort.org, getting and installing Snort today is just like it was before Sourcefire started. If you don't have the problems that Sourcefire solves (scalability and manageability for the mid to large enterprise) you'd probably barely notice we're out there.
Re:ls is dead (Score:3, Informative)
Hey, say what you will about Lua, for example "who in their right mind uses 1-based array indexing", but at least it has coroutines, which is more than lots of languages can say for themselves.
Re:Angry (Score:1, Informative)
Sounds more like Martin is clearing up some of the FUD. FUD spread by the Suricata camp....much like M$ spreads FUD against linux, etc.
Re:Snort's not dead... (Score:1, Informative)
Here's the difference, Marty.
When I go to SourceFire, I see plenty of ways for me to investimentise in my partneritude, but I can't for the life of me seem to find the source of your "open source" product.
When I go to Suricata, the source link is right there on the front page.
Re:Great summary quote (Score:3, Informative)
Multithreading is really only a feature if it gets you some benefit (usually that benefit is increased performance.) There are reports which mirror my own findings that indicate that Snort performs much better on one core than Suricata. Snort's Vulnerability Response Team has a blog post that just went up on this exact subject--of course, they have a vested interest in promoting Snort.
http://vrt-sourcefire.blogspot.com/2010/07/innovation-you-keep-using-that-word.html [blogspot.com]
The same physical machine ran Suricata and Snort, and Snort ran almost four time faster:
"Suricata peaked at about 300 Mb/s without dropping packets, provided no rules are loaded.
With rules loaded, Suricata runs up to about 200Mb/s.
Snort, with rules, hits 894Mb/s with no drops" -- Internal VRT Report on Suricata Performance
Now they don't talk about their testbed, so I'm assuming the worst case for Suricata--single core. At four cores, then, Suricata could match Snort's performance. Scaling up further, it could in theory beat it.
Now Suricata is also taking an ethical stand against compiled rules, which I like--to a degree. I recognize that there are tests which are hard or impossible to perform using Snort's rules language, but at the same time, I want to be able to look at the rule and see how likely it is to be a false positive. Over the years, the VRT has put out some rules which I would consider laughable. In a highly tuned context, they might work okay. In a larger context (say an ISP or a university, where the sniffers don't necessarily control every machine on the network) they false like crazy. Snort doesn't publish any information on how likely a rule is to false, and so if I can't read the rule, I can't gauge that at all.
Re:Great summary quote (Score:3, Informative)
Snort runs pretty fast, even if it only uses one core. If you can split your traffic, you can also run two instances of Snort on the same box. Not an ideal solution, but it's an option.
Once Suricata starts getting better performance, I'll re-evaluate it. For now, in our environment, Snort still outperforms it on the hardware which is within our budget.
Re:Snort's not dead... (Score:5, Informative)
Did you even look at the downloads page?:
http://www.snort.org/snort-downloads [snort.org]
Second link is "source".
If you want the 3.0 source go to:
http://www.snort.org/snort-downloads/snort-3-0/ [snort.org]
Maybe these weren't the sources you were looking for?
Re:GPLv2 Plus "Non-GPL" (Score:1, Informative)
Contributors need to sign the Contribution agreement. It can be found here. http://www.openinfosecfoundation.org/index.php/contributors
--
User hereby irrevocably and perpetually assigns, transfers, conveys and sets over to OISF, and OISF hereby accepts the assignment, transfer, conveyance and set over, User's entire worldwide and perpetual right, title and interest in and to the Materials including but not limited to all Intellectual Property Rights in the Materials. User will give OISF or its designee all assistance reasonably required to register, perfect, enforce and apply for and obtain in OISF's name patent, copyright, trademark and other Intellectual Property Rights in any and all jurisdictions
-
Re:Snort's not dead... (Score:2, Informative)
Re:It's not dead. (Score:4, Informative)
According to Marty, when asked about IPv6 support at this year's EDUCAUSE Security conference, Snort will happily inspect IPv6 traffic if you configure the HOME_NET to be an IPv6 network.
There's no explicit option to turn it on, because it shifts from v4 to v6 when the rest of the configuration is set up properly. This subtlety seems to elude people. Well, either that or the guy who initially wrote the software doesn't know how it works.
--saint
Re:GPLv2 Plus "Non-GPL" (Score:3, Informative)
And this is handled all the time by saying 'when you contribute code, you transfer the copyright to us' and then its over.
Re:How can that be now? (Score:4, Informative)
This is not a good thing for anyone concerned !!
Open source project dead? How can that be now?
Well actually, that's not 100% true. Snort is an "open core" project. Sourcefire make most of it's money on the IDSs and other add ons on top, which they don't release under open source licenses. This means that sourcefire doesn't want to put features into snort because they want to profit from them on their upper layers. Also other developers don't want to contribute to snort because they don't think they will get their value back; their features will be taken but sourcefire will not continue their development except where there is benefit for their own solution.
Worst of all; the existence of open source snort makes it difficult for other competing projects to get off the ground; just look at all the snort forks and how little they change it.
The death of snort may be a chance for a better challenger to come up with no open core vendor sucking the life from it.
Having said that, snort has been really valuable; this may also be the thing which motivates Sourcefire to get back into the open source game properly. Let's see if they try to compete or run off into proprietary locked off systems.