Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead? The Open Information Security Foundation, a nonprofit group funded by the U.S. Dept. of Homeland Security (DHS) to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ.
Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead?
The Open Information Security Foundation (OISF), a nonprofit group funded by the U.S. Dept. of Homeland Security (DHS) to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars.
The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled.
"Snort is not conducive to IPv6 nor to multi-threading," Jonkman says, adding, "And Snort 3.0 has been scrapped."
According to Jonkman, OISF's first open source release Suricata 1.0 is superior to Snort in a number of ways, including how it can inspect network packets using a multi-threading technology to inspect more than one packet at a time, which he claims improves the chances of detecting attack traffic. Suricata is also said to support IP reputation to be able to flag traffic from "nefarious origins" as well as automated protocol detection to automatically identify the protocol used in a network stream.Ivan Ristic.
OISF now includes nine consortium members, Kerio, Bivio, NitroSecurity and Breach Security Labs along with a number of other individual code contributors, including
The Suricata open source code is available for free by users and vendors, according to Jonkman, although OISF is asking for fees when Suricata code is changed to accommodate a specific use. "Some vendors want to make changes to make it work really well," Jonkman says, adding this usage of Suricata would lead to a different commercial licensing structure.
Suricata is being positioned as a replacement for a presumably dying Snort. Snort was originally created 12 years ago by Roesch,CTO of Sourcefire, which he founded in 2001 to commercialize Snort, while also keeping the Snort code base open source.
While Sourcefire had done modestly well, Snort open source has endured and thrived with spectacular success, today having about 300,000 registered users, and nearly 100 vendors that integrate Snort into their own security products.
Roesch didn't mince words in describing what he thinks of OISF and Suricata, code that Sourcefire engineers have examined.
First off, any suggestion that Snort isn't suited to IPv6 is not true, he says. IPv6 is required by the federal government, which is among the many users of Snort-based products.
And about Suricata's multi-threading technology, it seems to fail to deliver anything of substance in terms of performance, Roesch says. "We looked at the performance of Suricata and they talk about how important multi-threading is, but it's radically slower," he says.
Suricata's top speeds today may be slower than Snort's. Jonkman is citing Suricata at 8 to 10 Gbit/sec and Roesch cites Snort at 50 Gbit/sec, with both acknowledging a lot of range due to platform use. But beyond that, Roesch says Suricata is basically a "sub-set of Snort's functionality at a fraction of its performance." He even calls Suricata a "clone of Snort" as it uses Snort signatures. The OISF's description of Suricata does include how to use Snort signatures with Suricata and transition off of the Snort platform.
"They've produced a clone of Snort that performs worse at taxpayer's expense," Roesch says. "They haven't advanced IDS."
However, Roesch does acknowledge that Snort 3.0, described as a research project to test new detection methods to take better advantage of computing power, is not moving ahead as quickly as might be preferred. However, he adds, no one should draw the conclusion that Snort is dead.
"They want Snort to be dead," Roesch says, adding Snort 3.0 "is not discontinued." Additions and updates to the current Snort platform are done weekly, he says.
Nevertheless, Jonkman says DHS is funding OISF because not enough innovation is seen in the IDS industry, adding that the Air Force has been testing Suricata. Jonkman doesn't claim that Suricata 1.0 is the final word from OISF, and in fact, some code revisions are already being done to Suricata 1.0 this week, a normal process in open source development.
Vendors that don't have open-source roots are keeping an eye on OISF and Suricata.
Cisco, a large provider of commercial IPS products, uses a proprietary technology, not Snort, as its technical foundation, but Rush Carskadden, Cisco IPS product-line manager, says the company is aware of OISF and is closely following its activities.
"It's still a little early to say what impact it may have in the industry or the IPS market," Carskadden says, adding Cisco itself already uses multi-threading in its IPS. But he applauded OISF's work to push IDS/IPS forward in an open way through a broad community involvement. "But we love efforts like this, trying out new ideas."
Some analysts are also waxing enthusiastic about OISF.
"Snort of course is widely deployed, especially within academe and the U.S. federal government," says Richard Stiennon, chief research analyst at consultancy IT-Harvest. "As in all technologies, taking a fresh look at the needs and re-starting a framework for addressing those needs has benefits, usually in reduced overhead, and streamlined operations. I believe that OISF will provide that fresh look and offer an alternative to Snort that is free from the commercial interests of Sourcefire.
"Sourcefire controls the intellectual property and the update cycle for changes. They use the install base of Snort to market their commercial solutions," Stiennon says. "I am not saying that is a bad thing for Snort users but it is limiting to the overall development of threat mitigation technology from the open source community."
Some Sourcefire customers say they are paying attention to the emerging Snort-Suricata rivalry.
"It's hard to tell, but this does seem to be competing with Snort," says Bill O'Malley, senior security analyst at retailer Lands' End, which uses Sourcefire IPS, and retains Snort open source freeware for some internal use as intrusion-detection sensors.
While O'Malley says he wants to see improvements come more quickly with Snort, he also sees a vibrant open source community around Snort that continues to add new Snort rules. He rejects the idea that Sourcefire-- which he says has never indicated it would do anything but maintain Snort as open source -- has too much control over Snort. But O'Malley is examining Suricata to see what it is, too.
Open source IDS/IPS isn't for everyone, and some security managers who have had experience with it have learned from it, but left it behind and not looked back. Kris Jmaeff, information security systems specialist with the Canadian healthcare agency Interior Health in British Columbia, says he learned a lot about intrusion detection and prevention by using freely available Snort a number of years ago. But he decided to move on.
Jmaeff says he found reviewing and adding open-source IDS/IPS signatures to be "very labor intensive" with the need to monitor online resources such as newsgroups for information about updates and new threats and defenses.
In addition, there's still mistrust among management about open source in general, Jmaeff adds, noting that "with open source, you can't trust it 100%" because it's possible to insert malware into open source updates and there's a sense "there's no one to go back to" if something goes wrong. So the Canadian healthcare agency, though it did have a generally positive experience with Snort, decided two years ago it was time to acquire a commercial IDS/IPS. It reviewed four vendor products -- Sourcefire's among them -- but at the end went with HP's TippingPoint due to price, support and ease of use, with its customized reports.