Skip Links

Is open source Snort dead? Depends who you ask

Open Information Security Foundation says it's so; Snort's creator disagrees

By , Network World
July 20, 2010 05:21 PM ET

Network World - Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead?

The Open Information Security Foundation (OISF), a nonprofit group funded by the U.S. Dept. of Homeland Security (DHS) to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars.

The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled.

"Snort is not conducive to IPv6 nor to multi-threading," Jonkman says, adding, "And Snort 3.0 has been scrapped."

According to Jonkman, OISF's first open source release Suricata 1.0 is superior to Snort in a number of ways, including how it can inspect network packets using a multi-threading technology to inspect more than one packet at a time, which he claims improves the chances of detecting attack traffic. Suricata is also said to support IP reputation to be able to flag traffic from "nefarious origins" as well as automated protocol detection to automatically identify the protocol used in a network stream.
OISF now includes nine consortium members, Kerio, Bivio, NitroSecurity and Breach Security Labs along with a number of other individual code contributors, including Ivan Ristic.

The Suricata open source code is available for free by users and vendors, according to Jonkman, although OISF is asking for fees when Suricata code is changed to accommodate a specific use. "Some vendors want to make changes to make it work really well," Jonkman says, adding this usage of Suricata would lead to a different commercial licensing structure.

Suricata is being positioned as a replacement for a presumably dying Snort. Snort was originally created 12 years ago by Roesch,CTO of Sourcefire, which he founded in 2001 to commercialize Snort, while also keeping the Snort code base open source.

While Sourcefire had done modestly well, Snort open source has endured and thrived with spectacular success, today having about 300,000 registered users, and nearly 100 vendors that integrate Snort into their own security products.

Roesch didn't mince words in describing what he thinks of OISF and Suricata, code that Sourcefire engineers have examined.
First off, any suggestion that Snort isn't suited to IPv6 is not true, he says. IPv6 is required by the federal government, which is among the many users of Snort-based products.

And about Suricata's multi-threading technology, it seems to fail to deliver anything of substance in terms of performance,  Roesch says. "We looked at the performance of Suricata and they talk about how important multi-threading is, but it's radically slower," he says.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News