Feeds

Battle joined for future of open source IPS

Snort bares teeth at DHS-backed project

Using blade systems to cut costs and sharpen efficiencies

"Sourcefire not revealing the development roadmap for Snort, and not accepting community input or code, is what they [the DHS] do not feel is acceptable," Jonkman explained.

Jonkman held out an olive branch to the Snort camp, praising the calibre of its staff and expressing the hope that Sourcefire may yet become a collaborator and partner in the OISF project.

"We want a good relationship as they have some of the best minds in the field on their staff," he told The Register. "But unfortunately things have not been cooperative in the last two years of OISF development. Some of it is misquotes and blown out of proportion statements in the press, and some are genuine misunderstandings."

The OISF is not out to bury Snort but rather to wake the project from its current torpor. "We have not said Snort is dead," Jonkman explained. "I am clearly saying it hasn't innovated in a long time, and we need to push it further."

However attitudes in the Sourcefire/Snort camp are turning against OISF, making an early rapprochement increasingly unlikely.

Matt Olney, a senior researcher in Sourcefire's vulnerability research team, said that he has become disillusioned with the OISF since last December, after initially welcoming the creation of the project.

Olney cites Sourcefire internal testing figures that show Suricata running far slower than Snort on the same hardware. These are not objective tests, even if you disregard the fact that Suricata is still in development, but they irk Olney because OISF has cited performance as a reason to embrace multi-threading, which Sourcefire opposes.

The rejection by the OISF of rule obfuscation is another objection. Obfuscation of rules makes it harder for hackers to figure out the workings of IPS defences. This approach also makes it easier for the likes of Microsoft and Oracle to pass on vulnerability information, according to Sourcefire.

But the most serious gripe from the Sourcefire crowd seems to revolve around OISF's federal funding, as the shouty conclusion to an otherwise technically detailed and lengthy blog post by Olney last week illustrates:

The OISF has spent nearly a million dollars to fulfill their obligation to the DHS to deliver the next generation in IDS [intrusion detection systems - the forerunner to IPS] engines.  They have since engaged in all manner of wishful thinking, self-aggrandizement and Snort bashing. They've failed, utterly, to deliver on their promises. This is forgivable on the performance front, that problem is non-trivial.

But in the end, what they've built is a poorly functioning Snort-clone, missing the most powerful detection capability that Snort has. There isn't anything in the way of innovation; they are taking the same approach as everyone else from a detection standpoint. Simply put, rehashing isn't innovation.

Olney all but accuses OISF of socialising information security in a hard-hitting post that shows little scope for compromise. The two sides have arrived at entrenched positions and appeared poised to fight for the future of open source intrusion prevention technology.

It promises to be one hell of a fight, of the sort the networking world hasn't witnessed since the battle between ATM and Token Ring in the 1990s, with political disagreements (and possibly abandonment issues from the Snort camp) adding extra spice to the mix. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.