Feeds

Battle joined for future of open source IPS

Snort bares teeth at DHS-backed project

Protecting against web application threats using SSL

"Sourcefire not revealing the development roadmap for Snort, and not accepting community input or code, is what they [the DHS] do not feel is acceptable," Jonkman explained.

Jonkman held out an olive branch to the Snort camp, praising the calibre of its staff and expressing the hope that Sourcefire may yet become a collaborator and partner in the OISF project.

"We want a good relationship as they have some of the best minds in the field on their staff," he told The Register. "But unfortunately things have not been cooperative in the last two years of OISF development. Some of it is misquotes and blown out of proportion statements in the press, and some are genuine misunderstandings."

The OISF is not out to bury Snort but rather to wake the project from its current torpor. "We have not said Snort is dead," Jonkman explained. "I am clearly saying it hasn't innovated in a long time, and we need to push it further."

However attitudes in the Sourcefire/Snort camp are turning against OISF, making an early rapprochement increasingly unlikely.

Matt Olney, a senior researcher in Sourcefire's vulnerability research team, said that he has become disillusioned with the OISF since last December, after initially welcoming the creation of the project.

Olney cites Sourcefire internal testing figures that show Suricata running far slower than Snort on the same hardware. These are not objective tests, even if you disregard the fact that Suricata is still in development, but they irk Olney because OISF has cited performance as a reason to embrace multi-threading, which Sourcefire opposes.

The rejection by the OISF of rule obfuscation is another objection. Obfuscation of rules makes it harder for hackers to figure out the workings of IPS defences. This approach also makes it easier for the likes of Microsoft and Oracle to pass on vulnerability information, according to Sourcefire.

But the most serious gripe from the Sourcefire crowd seems to revolve around OISF's federal funding, as the shouty conclusion to an otherwise technically detailed and lengthy blog post by Olney last week illustrates:

The OISF has spent nearly a million dollars to fulfill their obligation to the DHS to deliver the next generation in IDS [intrusion detection systems - the forerunner to IPS] engines.  They have since engaged in all manner of wishful thinking, self-aggrandizement and Snort bashing. They've failed, utterly, to deliver on their promises. This is forgivable on the performance front, that problem is non-trivial.

But in the end, what they've built is a poorly functioning Snort-clone, missing the most powerful detection capability that Snort has. There isn't anything in the way of innovation; they are taking the same approach as everyone else from a detection standpoint. Simply put, rehashing isn't innovation.

Olney all but accuses OISF of socialising information security in a hard-hitting post that shows little scope for compromise. The two sides have arrived at entrenched positions and appeared poised to fight for the future of open source intrusion prevention technology.

It promises to be one hell of a fight, of the sort the networking world hasn't witnessed since the battle between ATM and Token Ring in the 1990s, with political disagreements (and possibly abandonment issues from the Snort camp) adding extra spice to the mix. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.