Feeds

Battle joined for future of open source IPS

Snort bares teeth at DHS-backed project

Beginner's guide to SSL certificates

"Sourcefire not revealing the development roadmap for Snort, and not accepting community input or code, is what they [the DHS] do not feel is acceptable," Jonkman explained.

Jonkman held out an olive branch to the Snort camp, praising the calibre of its staff and expressing the hope that Sourcefire may yet become a collaborator and partner in the OISF project.

"We want a good relationship as they have some of the best minds in the field on their staff," he told The Register. "But unfortunately things have not been cooperative in the last two years of OISF development. Some of it is misquotes and blown out of proportion statements in the press, and some are genuine misunderstandings."

The OISF is not out to bury Snort but rather to wake the project from its current torpor. "We have not said Snort is dead," Jonkman explained. "I am clearly saying it hasn't innovated in a long time, and we need to push it further."

However attitudes in the Sourcefire/Snort camp are turning against OISF, making an early rapprochement increasingly unlikely.

Matt Olney, a senior researcher in Sourcefire's vulnerability research team, said that he has become disillusioned with the OISF since last December, after initially welcoming the creation of the project.

Olney cites Sourcefire internal testing figures that show Suricata running far slower than Snort on the same hardware. These are not objective tests, even if you disregard the fact that Suricata is still in development, but they irk Olney because OISF has cited performance as a reason to embrace multi-threading, which Sourcefire opposes.

The rejection by the OISF of rule obfuscation is another objection. Obfuscation of rules makes it harder for hackers to figure out the workings of IPS defences. This approach also makes it easier for the likes of Microsoft and Oracle to pass on vulnerability information, according to Sourcefire.

But the most serious gripe from the Sourcefire crowd seems to revolve around OISF's federal funding, as the shouty conclusion to an otherwise technically detailed and lengthy blog post by Olney last week illustrates:

The OISF has spent nearly a million dollars to fulfill their obligation to the DHS to deliver the next generation in IDS [intrusion detection systems - the forerunner to IPS] engines.  They have since engaged in all manner of wishful thinking, self-aggrandizement and Snort bashing. They've failed, utterly, to deliver on their promises. This is forgivable on the performance front, that problem is non-trivial.

But in the end, what they've built is a poorly functioning Snort-clone, missing the most powerful detection capability that Snort has. There isn't anything in the way of innovation; they are taking the same approach as everyone else from a detection standpoint. Simply put, rehashing isn't innovation.

Olney all but accuses OISF of socialising information security in a hard-hitting post that shows little scope for compromise. The two sides have arrived at entrenched positions and appeared poised to fight for the future of open source intrusion prevention technology.

It promises to be one hell of a fight, of the sort the networking world hasn't witnessed since the battle between ATM and Token Ring in the 1990s, with political disagreements (and possibly abandonment issues from the Snort camp) adding extra spice to the mix. ®

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.