Feeds

Battle joined for future of open source IPS

Snort bares teeth at DHS-backed project

Using blade systems to cut costs and sharpen efficiencies

"Sourcefire not revealing the development roadmap for Snort, and not accepting community input or code, is what they [the DHS] do not feel is acceptable," Jonkman explained.

Jonkman held out an olive branch to the Snort camp, praising the calibre of its staff and expressing the hope that Sourcefire may yet become a collaborator and partner in the OISF project.

"We want a good relationship as they have some of the best minds in the field on their staff," he told The Register. "But unfortunately things have not been cooperative in the last two years of OISF development. Some of it is misquotes and blown out of proportion statements in the press, and some are genuine misunderstandings."

The OISF is not out to bury Snort but rather to wake the project from its current torpor. "We have not said Snort is dead," Jonkman explained. "I am clearly saying it hasn't innovated in a long time, and we need to push it further."

However attitudes in the Sourcefire/Snort camp are turning against OISF, making an early rapprochement increasingly unlikely.

Matt Olney, a senior researcher in Sourcefire's vulnerability research team, said that he has become disillusioned with the OISF since last December, after initially welcoming the creation of the project.

Olney cites Sourcefire internal testing figures that show Suricata running far slower than Snort on the same hardware. These are not objective tests, even if you disregard the fact that Suricata is still in development, but they irk Olney because OISF has cited performance as a reason to embrace multi-threading, which Sourcefire opposes.

The rejection by the OISF of rule obfuscation is another objection. Obfuscation of rules makes it harder for hackers to figure out the workings of IPS defences. This approach also makes it easier for the likes of Microsoft and Oracle to pass on vulnerability information, according to Sourcefire.

But the most serious gripe from the Sourcefire crowd seems to revolve around OISF's federal funding, as the shouty conclusion to an otherwise technically detailed and lengthy blog post by Olney last week illustrates:

The OISF has spent nearly a million dollars to fulfill their obligation to the DHS to deliver the next generation in IDS [intrusion detection systems - the forerunner to IPS] engines.  They have since engaged in all manner of wishful thinking, self-aggrandizement and Snort bashing. They've failed, utterly, to deliver on their promises. This is forgivable on the performance front, that problem is non-trivial.

But in the end, what they've built is a poorly functioning Snort-clone, missing the most powerful detection capability that Snort has. There isn't anything in the way of innovation; they are taking the same approach as everyone else from a detection standpoint. Simply put, rehashing isn't innovation.

Olney all but accuses OISF of socialising information security in a hard-hitting post that shows little scope for compromise. The two sides have arrived at entrenched positions and appeared poised to fight for the future of open source intrusion prevention technology.

It promises to be one hell of a fight, of the sort the networking world hasn't witnessed since the battle between ATM and Token Ring in the 1990s, with political disagreements (and possibly abandonment issues from the Snort camp) adding extra spice to the mix. ®

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.