Is Open Source SNORT Dead? 127
alphadogg writes "Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead?
The Open Information Security Foundation, a nonprofit group funded by the US Dept. of Homeland Security to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars.
The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled."
It's not dead. (Score:5, Insightful)
Snort is nowhere near dead - it's still used in tons of production environments, especially in higher ed (where we've always got plenty of Unix nerds on hand, and never have any money).
I would imagine Marty's objections probably have something to do with his desire to move people from Snort to the commercial IDS offerings from Sourcefire. That easy upsell doesn't exist if people start off on another product.
--saint
Is this a fork? (Score:2, Insightful)
Is this a fork or is DHS replicating Snort without copying the code?
Why is it that I have a queasy feeling in my gut about network security tools supplied by DHS?
So in short (Score:5, Insightful)
Okay, so a competing product comes out, they declare their competitor is dead, said competitor says "i'm not dead yet" and accuses them of being a cheap knockoff. Both sides continue to point out flaws or perceived flaws and throw FUD at each other.
Why, it's not Open Source . . . it's . . . (Score:5, Insightful)
The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program . . .
Open Pork!
Snort's just fine (Score:5, Insightful)
It may not be developed on very actively but that's because it doesn't need to be. It does everything it needs to do and for the rest, the community and any capable sysadmin can make their own rules. At some point the product is finished and all you can do is bugfix it. Adding features makes stuff bloated and is only necessary if you need to sell the stuff in a commercial setting. That's the power of open source, once a product is finished, it's done with. Eventually somebody will rewrite it (if the code is really bad) or make it run better (if architectures change) but a well-written program won't need either in the near future.
Look at the rsync library. The only thing that was fixed recently is a 64-bit handle to allow for files larger than 4GB to be handled. I don't believe the original programmer is even around anymore to fix stuff on it since the 4GB patch is not included in the official rsync distribution. But it's still widely used without any problems, works as intended and isn't going away soon.
Re:ls is dead (Score:5, Insightful)
When was the last major functional change for ls? When was the last time you saw a major support contract signed for the ls command?
When was the last time the landscape of Unix-style directory listings changed significantly? Security-related products need to constantly adapt to new types of threat as well as new variations on older types.
Think about how much the world of computer security has changed over the last couple of decades. When I had my first dialup shell account with internet access, the idea that there would be a major black-market industry for professionals writing malicious code was literally science fiction.
Meanwhile, the standard Unix-style directory listing still seems to work fine for most people. I haven't looked into the more specialized (SELinux) variations, but I imagine if there were significant changes to the Unix filesystem security model (e.g. if very complicated NTFS-style permissions were implemented), then ls would probably be significantly extended so that it would accurately represent the additional information.
Re:ls is dead (Score:3, Insightful)
I imagine if there were significant changes to the Unix filesystem security model (e.g. if very complicated NTFS-style permissions were implemented), then ls would probably be significantly extended so that it would accurately represent the additional information.
POSIX.2 allows for ACLs and all major Linux filesystems (Among others, but that's my current area of expertise in computing) have support for them. No mention of "acl" or "ACL" in the manpage for ls.
Re:ls is dead (Score:3, Insightful)
(e.g. if very complicated NTFS-style permissions were implemented)
They are, it's just that nobody uses them. Well except me. Linux with ext3 has had them for ages, and e.g. HP-UX had them in '94 -- probably earlier, but that's when I used them for the first time.
ls doesn't do much useful with them on Linux though. You need getfacl/setfacl for that.
Snort's not dead... (Score:5, Insightful)
I should know, I wrote it.
Snort is developed at Sourcefire these days, the company I started and where I still serve as CTO. I am the lead developer on the Snort 3.0 project right now which is undergoing restructuring after the initial few releases showed performance issues that we weren't ready to live with.
Snort 2.x is developed by Sourcefire's engineering team, we release several updates a year to the code and updates to detection almost weekly via the Sourcefire VRT. I don't work on the 2.x code base day to day anymore but I do contribute from time to time. Snort 2.9.0 is slated for release this fall and continues 12 years of development on the engine technology which includes some significant innovation in the field of intrusion detection.
My issue with Suricata is that it has implemented the exact same *detection model* as Snort, it does nothing new from a detection standpoint but wraps it in a multithreaded framework that they're trying to call innovation all on its own. True innovation would be to develop a new way of detecting threats on the wire and they haven't done that, they effectively have implemented the same idea as Snort (processes Snort rules, buffers streams into chunks before processing, etc) on a slower software platform. They implemented what is effectively a Snort fork and did so at taxpayer expense, they got the government to pay them to develop something that the government already gets for free (Snort's detection model) with less features and lower performance.
Someday Suricata might be a really interesting engine but to go out to the press in a concerted push and advance the idea that "Snort is dead" reflects a stunning amount of hubris and wishful thinking. Snort is the most widely deployed IDS/IPS on the planet, there have been millions of downloads and there are hundreds of thousands of registered users and the community is still growing steadily. Snort's engine development is still moving forward and we have plans to continue to innovate in the field of intrusion detection. If the Suricata team wants to displace it they have a tremendous amount of work to do, they're not even close yet.
Re:Confusing Story Considering Snort's Activity (Score:4, Insightful)
Aren't those Yahoo! Toolbar, Google Toolbar, Google Earth, Ask.com default homepage, StarOffice etc. options implemented by the developer by choice in order to get a kickback (some fractions of dollars, I suppose) - rather than the companies behind these solutions 'taking hold of' the projects and inserting them?
Angry (Score:3, Insightful)
Martin sounds angry. Suricata is new, I wouldn't expect it to blow away the competition at such an early stage. High speed/quality IDS/IPS isn't something that you can xerox off new competitors in 15 minutes. I suspect it's like Firefox's new scripting engine. It was initially slower than the old one, but with time it will overtake it.
Martin makes his money off Snort and doesn't want other free software encroaching on his livelihood. Well Martin, maybe you should put forth more effort into Snort rather than just resting on your laurels.
Re:Great summary quote (Score:3, Insightful)
I do not know if that is a fair conclusion.
Snort is single threaded.
Suricata supports multi-threading.
So with Snort you are tied to a single core. Not an ideal situation today.
This is starting to look a lot like KDE vs GNOME security throw down.
Snort has been stalled for a while. It is a great program but is not adding any new features.
Suricata is a new FOSS security system. If nothing else competition will make both of them better.
And as to the waste of money? Well maybe it was but I do not think so. If nothing else I feel it is GREAT that this is being done as a FOSS project.
As to the performance claims. What platform was running the tests? What was the load on the platforms? 8 to 10 Gbit/sec is going to do the trick for what Percentage of users? How many people have a single internet connection that matches that?
And being multi threaded Suricata may very well scale better than Snort in the future as we are going for more and more cores vs faster cores.
As I said sometime competition is a good thing.
Ever notice? (Score:2, Insightful)
Ever notice how funded "non-profits" and new commercial efforts always start by declaring the open source version "dead"? That's a bit like Tesla motors coming out and declaring Ford dead. Whether or not it is true that "Ford is dead", the "competition" has a serious conflict of interest and is in no way qualified to make the declaration. In fact, their need to make such declarations indicates that it is actually far from true.
A better wording for the OISF:
"We think our product is better and we wish Snort would just go away, because we are so tired of hearing from our potential customers 'We use Snort, and it does all that already, why would we switch?'."
OISF is also probably getting really tired of trying to justify every year the expenditure of taxpayer dollars to support a capability that Snort already provides for free. If they really had such a great capability, they wouldn't have any need whatsoever to spread Snort bashing FUD.
Re:It's not dead. (Score:2, Insightful)
"Out of the box" IDS's are crap.
IDS and IPS is a process that needs a human analyst. Pretending that software will adapt and respond to attacks by humans is just the wrong way to go about the network security issue. In that area, nothing beats snort: it is THE best tool for a good analyst to do the best possible job.