Is open source Snort dead? Depends who you ask

Open Information Security Foundation says it's so; Snort's creator disagrees

Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead?

The Open Information Security Foundation (OISF), a nonprofit group funded by the U.S. Dept. of Homeland Security (DHS) to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars.

The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled.

"Snort is not conducive to IPv6 nor to multi-threading," Jonkman says, adding, "And Snort 3.0 has been scrapped."

According to Jonkman, OISF's first open source release Suricata 1.0 is superior to Snort in a number of ways, including how it can inspect network packets using a multi-threading technology to inspect more than one packet at a time, which he claims improves the chances of detecting attack traffic. Suricata is also said to support IP reputation to be able to flag traffic from "nefarious origins" as well as automated protocol detection to automatically identify the protocol used in a network stream.OISF now includes nine consortium members, Kerio, Bivio, NitroSecurity and Breach Security Labs along with a number of other individual code contributors, including Ivan Ristic.

The Suricata open source code is available for free by users and vendors, according to Jonkman, although OISF is asking for fees when Suricata code is changed to accommodate a specific use. "Some vendors want to make changes to make it work really well," Jonkman says, adding this usage of Suricata would lead to a different commercial licensing structure.

Suricata is being positioned as a replacement for a presumably dying Snort. Snort was originally created 12 years ago by Roesch,CTO of Sourcefire, which he founded in 2001 to commercialize Snort, while also keeping the Snort code base open source.

While Sourcefire had done modestly well, Snort open source has endured and thrived with spectacular success, today having about 300,000 registered users, and nearly 100 vendors that integrate Snort into their own security products.

Roesch didn't mince words in describing what he thinks of OISF and Suricata, code that Sourcefire engineers have examined.First off, any suggestion that Snort isn't suited to IPv6 is not true, he says. IPv6 is required by the federal government, which is among the many users of Snort-based products.

And about Suricata's multi-threading technology, it seems to fail to deliver anything of substance in terms of performance,  Roesch says. "We looked at the performance of Suricata and they talk about how important multi-threading is, but it's radically slower," he says.

Suricata's top speeds today may be slower than Snort's. Jonkman is citing Suricata at 8 to 10 Gbit/sec and Roesch cites Snort at 50 Gbit/sec, with both acknowledging a lot of range due to platform use. But beyond that, Roesch says Suricata is basically a "sub-set of Snort's functionality at a fraction of its performance." He even calls Suricata a "clone of Snort" as it uses Snort signatures. The OISF's description of Suricata does include how to use Snort signatures with Suricata and transition off of the Snort platform.

"They've produced a clone of Snort that performs worse at taxpayer's expense," Roesch says. "They haven't advanced IDS."

However, Roesch does acknowledge that Snort 3.0, described as a research project to test new detection methods to take better advantage of computing power, is not moving ahead as quickly as might be preferred. However, he adds, no one should draw the conclusion that Snort is dead.

"They want Snort to be dead," Roesch says, adding Snort 3.0 "is not discontinued." Additions and updates to the current Snort platform are done weekly, he says.

Nevertheless, Jonkman says DHS is funding OISF because not enough innovation is seen in the IDS industry, adding that the Air Force has been testing Suricata. Jonkman doesn't claim that Suricata 1.0 is the final word from OISF, and in fact, some code revisions are already being done to Suricata 1.0 this week, a normal process in open source development.Vendors that don't have open-source roots are keeping an eye on OISF and Suricata.

Cisco, a large provider of commercial IPS products, uses a proprietary technology, not Snort, as its technical foundation, but Rush Carskadden, Cisco IPS product-line manager, says the company is aware of OISF and is closely following its activities.

"It's still a little early to say what impact it may have in the industry or the IPS market," Carskadden says, adding Cisco itself already uses multi-threading in its IPS. But he applauded OISF's work to push IDS/IPS forward in an open way through a broad community involvement. "But we love efforts like this, trying out new ideas."

Some analysts are also waxing enthusiastic about OISF.

"Snort of course is widely deployed, especially within academe and the U.S. federal government," says Richard Stiennon, chief research analyst at consultancy IT-Harvest. "As in all technologies, taking a fresh look at the needs and re-starting a framework for addressing those needs has benefits, usually in reduced overhead, and streamlined operations. I believe that OISF will provide that fresh look and offer an alternative to Snort that is free from the commercial interests of Sourcefire.

"Sourcefire controls the intellectual property and the update cycle for changes. They use the install base of Snort to market their commercial solutions," Stiennon says. "I am not saying that is a bad thing for Snort users but it is limiting to the overall development of threat mitigation technology from the open source community."

Join the CSO newsletter!

Error: Please check your email address.

Tags sourcefireintrusion detection systemsintrusion prevention systemssecuritySnortipv6

More about BivioBreach SecurityCiscoCisco SecurityIPS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place