Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead?
The Open Information Security Foundation (OISF), a nonprofit group funded by the U.S. Dept. of Homeland Security (DHS) to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars.
The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled.
"Snort is not conducive to IPv6 nor to multi-threading," Jonkman says, adding, "And Snort 3.0 has been scrapped."
According to Jonkman, OISF's first open source release Suricata 1.0 is superior to Snort in a number of ways, including how it can inspect network packets using a multi-threading technology to inspect more than one packet at a time, which he claims improves the chances of detecting attack traffic. Suricata is also said to support IP reputation to be able to flag traffic from "nefarious origins" as well as automated protocol detection to automatically identify the protocol used in a network stream.OISF now includes nine consortium members, Kerio, Bivio, NitroSecurity and Breach Security Labs along with a number of other individual code contributors, including Ivan Ristic.
The Suricata open source code is available for free by users and vendors, according to Jonkman, although OISF is asking for fees when Suricata code is changed to accommodate a specific use. "Some vendors want to make changes to make it work really well," Jonkman says, adding this usage of Suricata would lead to a different commercial licensing structure.
Suricata is being positioned as a replacement for a presumably dying Snort. Snort was originally created 12 years ago by Roesch,CTO of Sourcefire, which he founded in 2001 to commercialize Snort, while also keeping the Snort code base open source.
While Sourcefire had done modestly well, Snort open source has endured and thrived with spectacular success, today having about 300,000 registered users, and nearly 100 vendors that integrate Snort into their own security products.
Roesch didn't mince words in describing what he thinks of OISF and Suricata, code that Sourcefire engineers have examined.First off, any suggestion that Snort isn't suited to IPv6 is not true, he says. IPv6 is required by the federal government, which is among the many users of Snort-based products.
And about Suricata's multi-threading technology, it seems to fail to deliver anything of substance in terms of performance, Roesch says. "We looked at the performance of Suricata and they talk about how important multi-threading is, but it's radically slower," he says.
Suricata's top speeds today may be slower than Snort's. Jonkman is citing Suricata at 8 to 10 Gbit/sec and Roesch cites Snort at 50 Gbit/sec, with both acknowledging a lot of range due to platform use. But beyond that, Roesch says Suricata is basically a "sub-set of Snort's functionality at a fraction of its performance." He even calls Suricata a "clone of Snort" as it uses Snort signatures. The OISF's description of Suricata does include how to use Snort signatures with Suricata and transition off of the Snort platform.
"They've produced a clone of Snort that performs worse at taxpayer's expense," Roesch says. "They haven't advanced IDS."
However, Roesch does acknowledge that Snort 3.0, described as a research project to test new detection methods to take better advantage of computing power, is not moving ahead as quickly as might be preferred. However, he adds, no one should draw the conclusion that Snort is dead.
"They want Snort to be dead," Roesch says, adding Snort 3.0 "is not discontinued." Additions and updates to the current Snort platform are done weekly, he says.
Nevertheless, Jonkman says DHS is funding OISF because not enough innovation is seen in the IDS industry, adding that the Air Force has been testing Suricata. Jonkman doesn't claim that Suricata 1.0 is the final word from OISF, and in fact, some code revisions are already being done to Suricata 1.0 this week, a normal process in open source development.Vendors that don't have open-source roots are keeping an eye on OISF and Suricata.
Cisco, a large provider of commercial IPS products, uses a proprietary technology, not Snort, as its technical foundation, but Rush Carskadden, Cisco IPS product-line manager, says the company is aware of OISF and is closely following its activities.
"It's still a little early to say what impact it may have in the industry or the IPS market," Carskadden says, adding Cisco itself already uses multi-threading in its IPS. But he applauded OISF's work to push IDS/IPS forward in an open way through a broad community involvement. "But we love efforts like this, trying out new ideas."
Some analysts are also waxing enthusiastic about OISF.
"Snort of course is widely deployed, especially within academe and the U.S. federal government," says Richard Stiennon, chief research analyst at consultancy IT-Harvest. "As in all technologies, taking a fresh look at the needs and re-starting a framework for addressing those needs has benefits, usually in reduced overhead, and streamlined operations. I believe that OISF will provide that fresh look and offer an alternative to Snort that is free from the commercial interests of Sourcefire.
"Sourcefire controls the intellectual property and the update cycle for changes. They use the install base of Snort to market their commercial solutions," Stiennon says. "I am not saying that is a bad thing for Snort users but it is limiting to the overall development of threat mitigation technology from the open source community."