Open Source IDS Wars: You Were There

What is the real story between Snort and Suricata, Jonkman and Roesch? I was there

Over the last couple of weeks I have been following all of the Snort-Suricata, Roesch-Jonkmann back and forth. If you are not familiar with the particulars of this latest incident you can read about them in Ellen Messmer's article and my fellow open source subnet blogger, Ben Whaley's column. I know both Marty and Matt pretty well and have been involved in the open source IDS world for years. This recent flare up has actually been brewing and is a long time coming. I am going to give you my own historical insight and analysis to the real story behind this story. 

Mitchell Ashley and I were building StillSecure at the time. Below Mitchell and I discuss this. A great 20 minutes of open IDS history. You Were There:

I first became involved at least somewhat in the Snort community when a company I helped found, StillSecure, came out with a Snort based IPS called Strataguard. At the time Marty had recently founded Sourcefire.  There were many companies selling front ends for Snort and many other companies using Snort under the covers and not telling anyone they were. We were one of the few that were upfront about our product being Snort-based.  Marty Roesch and rightfully so, was upset with all of the companies selling Snort based products and not paying any fees to Sourcefire and not even acknowledging their product was Snort based.

At the same time there was some concern (a very small minority) that with the founding of Sourcefire would Snort remain open, would community contributions be used in the official release and perhaps most importantly, what about code contributed by non-Sourcefire developers. Would they retain their copyright and IP on that code. You can go back and check the Snort mailing list archives for all of that.  

At least partially as a result of all of the above a new alternative Snort community was established.  It was called Bleeding Snort (I know, not a great name, but it was meant to signify bleeding edge). It offered an alternative rule set for Snort and had plans to offer alternative code and enhancements to the Sourcefire official Snort.  Sort of like a fork of Snort.

Who headed up Bleeding Snort? You guessed it Matt Jonkman.  Matt did a great job working with the companies that were using Snort and were worried about Sourcefire trying to force them to stop.  My company StillSecure was one of those companies. We along with Demarc and several other companies were sponsors of Bleeding Snort and as it became known later Bleeding Edge.

In fact the Bleeding Snort/Bleeding Edge rule set was so good, that many thought it superior to the official Snort rule set. Back then Sourcefire was still trying to find its niche in the commercial market and all of the snort competition was a thorn in the side. Matt and the Bleeding community was seen as a potential threat.  While on the surface and in public there were few interactions and hostility, behind the scenes I can tell you there was lots of tension.  I personally used to speak with Matt fairly regularly and would exchange email and postings with Marty Roesch as well.

Sourcefire eventually came up with their VRT certified rule set. The thing about this rule set was not about the quality, but it was about it not being open source.  Marty and the Sourcefire team taking a page from Nessus and Tenable Network Security, declared that though Snort itself was and would always remain open source, the rules that Snort ran were not open and if you were going to use them in your own product you had to pay a fee.

For the average snort user this was not a big deal. They still got the VRT rule set without paying. For companies using Snort rules this was a major issue. It drove even more of them to the Bleeding Edge community. At StillSecure, we tried to have our cake and eat it too. We sponsored and were a major contributer to Bleeding Edge but also ponied up 10k to be a VRT partner and allowed to distribute the official rule set too.

I can tell you though that this set many people off, including Matt.  From that time on in my discussions with Matt it was pretty clear to me that he would love to either fork Snort or make a better Snort. He left Bleeding Edge and basically sold it to another company (I don't remember who now. If anyone does please leave in a comment).  

A short while later Matt returned with Emerging Threats, a new Bleeding Edge type of community. I spoke to Matt a lot around this time. It was clear with Emerging Threats Matt had as his goal a new Snort. Also at this time a sort of equilibrium developed between Sourcefire and other companies using Snort.  I think Sourcefire realized that all of these companies using Snort only helped make Snort the "de facto standard" they claimed it to be.

However, simmering underneath was still the tension. Matt felt Snort was not moving fast enough to keep up with new technology. He felt Sourcefire was holding it back for their own commercial reasons (probably so).  When he got the chance to get some government money and create a Snort alternative he jumped at it.

But why did the government want a Snort alternative and why did companies join his new OISF? I don't believe that it was entirely that the government thought Snort was washed up. I think it was more of a hedge your bets. At the time Checkpoint had tried to buy Sourcefire. The government had killed the deal on national security concerns. The Chinese were trying to buy Tipping Point through 3Com.  I think the US Government wanted to make sure they had another alternative in the IDS/IPS arena that was not going to be controlled by a foreign entity.  By sponsoring their own IDS they were assured that they would have access to a "made in the US" IDS. As to the other sponsors of OISF? Hey they still don't trust Sourcefire to pull the Snort rug out from under them. 

So when you read about this back and forth over Snort being dead and why Suricata may or may not be better, you should remember the history here. As someone once said something like, by learning history you are destined not to repeat your mistakes (or something like that)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)