Feeds

Battle joined for future of open source IPS

Snort bares teeth at DHS-backed project

Next gen security for virtualised datacentres

"Sourcefire not revealing the development roadmap for Snort, and not accepting community input or code, is what they [the DHS] do not feel is acceptable," Jonkman explained.

Jonkman held out an olive branch to the Snort camp, praising the calibre of its staff and expressing the hope that Sourcefire may yet become a collaborator and partner in the OISF project.

"We want a good relationship as they have some of the best minds in the field on their staff," he told The Register. "But unfortunately things have not been cooperative in the last two years of OISF development. Some of it is misquotes and blown out of proportion statements in the press, and some are genuine misunderstandings."

The OISF is not out to bury Snort but rather to wake the project from its current torpor. "We have not said Snort is dead," Jonkman explained. "I am clearly saying it hasn't innovated in a long time, and we need to push it further."

However attitudes in the Sourcefire/Snort camp are turning against OISF, making an early rapprochement increasingly unlikely.

Matt Olney, a senior researcher in Sourcefire's vulnerability research team, said that he has become disillusioned with the OISF since last December, after initially welcoming the creation of the project.

Olney cites Sourcefire internal testing figures that show Suricata running far slower than Snort on the same hardware. These are not objective tests, even if you disregard the fact that Suricata is still in development, but they irk Olney because OISF has cited performance as a reason to embrace multi-threading, which Sourcefire opposes.

The rejection by the OISF of rule obfuscation is another objection. Obfuscation of rules makes it harder for hackers to figure out the workings of IPS defences. This approach also makes it easier for the likes of Microsoft and Oracle to pass on vulnerability information, according to Sourcefire.

But the most serious gripe from the Sourcefire crowd seems to revolve around OISF's federal funding, as the shouty conclusion to an otherwise technically detailed and lengthy blog post by Olney last week illustrates:

The OISF has spent nearly a million dollars to fulfill their obligation to the DHS to deliver the next generation in IDS [intrusion detection systems - the forerunner to IPS] engines.  They have since engaged in all manner of wishful thinking, self-aggrandizement and Snort bashing. They've failed, utterly, to deliver on their promises. This is forgivable on the performance front, that problem is non-trivial.

But in the end, what they've built is a poorly functioning Snort-clone, missing the most powerful detection capability that Snort has. There isn't anything in the way of innovation; they are taking the same approach as everyone else from a detection standpoint. Simply put, rehashing isn't innovation.

Olney all but accuses OISF of socialising information security in a hard-hitting post that shows little scope for compromise. The two sides have arrived at entrenched positions and appeared poised to fight for the future of open source intrusion prevention technology.

It promises to be one hell of a fight, of the sort the networking world hasn't witnessed since the battle between ATM and Token Ring in the 1990s, with political disagreements (and possibly abandonment issues from the Snort camp) adding extra spice to the mix. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.