Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is Open Source SNORT Dead?

CmdrTaco posted more than 4 years ago | from the migrate-to-chortle dept.

Security 127

alphadogg writes "Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead? The Open Information Security Foundation, a nonprofit group funded by the US Dept. of Homeland Security to come up with next-generation open source IDS/IPS, thinks so. But Snort's creator, Martin Roesch, begs to differ, and in fact, calls the OISF's first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars. The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled."

cancel ×

127 comments

Sorry! There are no comments related to the filter you selected.

Yeah (0, Flamebait)

Idimmu Xul (204345) | more than 4 years ago | (#32976550)

Yeah, it's dead. HTH.

Re:Yeah (1)

ta bu shi da yu (687699) | more than 4 years ago | (#32976800)

What I like is not the fact that it's "dead". I like the fact that the twitter feed for that article is picking up anyone who snorts on Twitter. Yay computer security, bringing the unwashed masses together!

Re:Yeah (0)

Anonymous Coward | more than 4 years ago | (#32977368)

Yay computer security, bringing the unwashed masses together!

We prefer "bathing intolerant" if you don't mind.

How can that be now? (0)

Anonymous Coward | more than 4 years ago | (#32976616)

This is not a good thing for anyone concerned !!

Open source project dead? How can that be now?

Nonsense (0)

Anonymous Coward | more than 4 years ago | (#32976624)

First of all, 1 million dollars does not sound like cheap ripoff ;)

Second, I have never quite understood Snort to be honest. It has never been able to detect anything besides irrelevant noise (obscure bugs related to ancient software) and the project has never had any idea about the management tools related to the main engine. In fact there has not been any credible tools. If this Suricata project will create such it imho doesn't matter really if they stole all the code from Snort. Snort people didn't do very well with it anyways.

Re:Nonsense (2, Informative)

Anonymous Coward | more than 4 years ago | (#32977126)

A million dollars in government money actually only buys you about $1000 in actual work.

Re:Nonsense (0)

Anonymous Coward | more than 4 years ago | (#32978234)

Second, I have never quite understood Snort to be honest. I have never been able to detect anything besides irrelevant noise (obscure bugs related to ancient software) and I have never had any idea about the management tools related to the main engine. In fact I have been an incredible tool.

FIFY.

Just because YOU were unable to use snort effectively doesn't mean everyone is unable to use it. Snort is only dead to people who shouldn’t be trying to analyze network traffic in the first place because they lack the aptitude.

No way (4, Funny)

gparent (1242548) | more than 4 years ago | (#32976628)

Netcraft hasn't confirmed it yet.

It's not dead. (5, Insightful)

saintlupus (227599) | more than 4 years ago | (#32976630)

Snort is nowhere near dead - it's still used in tons of production environments, especially in higher ed (where we've always got plenty of Unix nerds on hand, and never have any money).

I would imagine Marty's objections probably have something to do with his desire to move people from Snort to the commercial IDS offerings from Sourcefire. That easy upsell doesn't exist if people start off on another product.

--saint

Re:It's not dead. (2, Interesting)

Arathrael (742381) | more than 4 years ago | (#32977428)

I suspect in a lot of places where Snort is used, it's mostly just sitting there quietly generating thousands of mostly '(http_inspect) DOUBLE DECODING ATTACK' alerts and being completely ignored. It's easy enough to set it up, but out of the box it typically generates an awful lot of noise in the form of largely useless alerts, so it takes some configuring (and understanding of exactly what those alerts are) to get it to a point where it's really useful.

And yes, I reckon that the commercial aspect to Snort probably is a key factor in this argument. They push that quite heavily IMO with (e.g.) new rules only being available to subscribers and other users having to register and wait until they're 30 days old to download them.

I'm curious as to whether Suricata is any good, I might have to check it out. Also, meerkats.

Re:It's not dead. (2, Insightful)

alexborges (313924) | more than 4 years ago | (#32980218)

"Out of the box" IDS's are crap.

IDS and IPS is a process that needs a human analyst. Pretending that software will adapt and respond to attacks by humans is just the wrong way to go about the network security issue. In that area, nothing beats snort: it is THE best tool for a good analyst to do the best possible job.

Re:It's not dead. (1)

mcgrew (92797) | more than 4 years ago | (#32977718)

From TFA: "Snort is not conducive to IPv6 nor to multi-threading, And Snort 3.0 has been scrapped."

I'd say Dr. Kevorkian is on his way, unless someone picks the project up and forks it. That's one of the beauties of open source; when Microsoft stops support of XP, XP is dead. When any FOSS developers stop support, anybody with the necessary skills can revive it.

Re:It's not dead. (4, Informative)

saintlupus (227599) | more than 4 years ago | (#32980184)

According to Marty, when asked about IPv6 support at this year's EDUCAUSE Security conference, Snort will happily inspect IPv6 traffic if you configure the HOME_NET to be an IPv6 network.

There's no explicit option to turn it on, because it shifts from v4 to v6 when the rest of the configuration is set up properly. This subtlety seems to elude people. Well, either that or the guy who initially wrote the software doesn't know how it works.

--saint

Re:It's not dead. (1)

Lord Ender (156273) | more than 4 years ago | (#32977814)

It is "used" so that companies can check the "have IDS" box during audits. It is ignored, because it generates too many false positives.

Re:It's not dead. (1)

bugs2squash (1132591) | more than 4 years ago | (#32978798)

The same could be said of any commercial IDS creating false positives too.
I like snort because it is pretty easy to create my own rules to look for traffic I am interested in and to raise an alarm. We use a Cisco IDS for the "checkbox filling" part as it fills a checkbox with fewer questions asked, but I use snort as well because the analytical support it has provided over the years has been great. It's also a great way to answer some of the after-the-fact questions that get raised, just run snort on an old packet capture file and tell it what to look for.

Is this a fork? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#32976636)

Is this a fork or is DHS replicating Snort without copying the code?

Why is it that I have a queasy feeling in my gut about network security tools supplied by DHS?

Recommended replacements? (1)

andymurd (556579) | more than 4 years ago | (#32976646)

So what alternatives do /. recommend? Open source preferred.

Re:Recommended replacements? (0)

Anonymous Coward | more than 4 years ago | (#32976714)

http://www.bro-ids.org

Re:Recommended replacements? (1)

rgviza (1303161) | more than 4 years ago | (#32976728)

for snort 2.8? snort 2.9.

"Rip Off"? (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32976658)

Seriously? Having use Suricata...a lot...I can tell you it's much of what SNORT should have become. A rip off it is not. Multi-threading alone is a God-send.

Re:"Rip Off"? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32977014)

Yet they went from 0 to done in a year with 1 million dollars? Meaning 2-4 devs/testers/managers for 1 year. With all the same features as snort and then some. Meaning they took snort and extended it. Then instead of folding those changes back into snort are claiming it as their own. A million dollars sounds like a lot. However, at contractor rates its not much.

Forks are fine and all. However, they are making it like their base code is 'dead' so they get more eyeballs for 'their' base code. All in all kind of a shifty way to take over a project. Thats not a fork. Thats a powergrab and they do not want to share the koolaid with the people who brought the punchbowl.

Now maybe they tried to fold their changes back and the snort guys shot them down? As they are 'changing everything'. Well eventually people get tired of waiting for these mythical changes to become real. I have seen this in many open-source projects too. It probably is the one of the major reasons for forks in the first place.

Havent followed either project. But many times in tiffs like this it just becomes a bunch of babies arguing about who should be in charge. This smells like one of those arguments.

Re:"Rip Off"? (1)

PitaBred (632671) | more than 4 years ago | (#32978382)

Why fold their changes back? As long as the code is released GPL, it's a waste of their time to try to go "backards" with their updates to the code. Let the snort guys do that if they want to.

Re:"Rip Off"? (1)

alexborges (313924) | more than 4 years ago | (#32980238)

I dont think suricata is a fork of snort.

Re:"Rip Off"? (1)

Sancho (17056) | more than 4 years ago | (#32977414)

The reports I've seen have Suricata performing much more slowly than snort, even with multiple threads.

Great summary quote (3, Informative)

MikeBabcock (65886) | more than 4 years ago | (#32976660)

For people who don't read the article:

Suricata's top speeds today may be slower than Snort's. Jonkman is citing Suricata at 8 to 10 Gbit/sec and Roesch cites Snort at 50 Gbit/sec, with both acknowledging a lot of range due to platform use. But beyond that, Roesch says Suricata is basically a "sub-set of Snort's functionality at a fraction of its performance." He even calls Suricata a "clone of Snort" as it uses Snort signatures. The OISF's description of Suricata does include how to use Snort signatures with Suricata and transition off of the Snort platform.

"They've produced a clone of Snort that performs worse at taxpayer's expense," Roesch says. "They haven't advanced IDS."

So, the taxpayer paid good money to develop a slower and less functional version of an already open-source product. Brilliant.

SELinux was a good investment of taxpayer dollars. This was not, as far as I can tell.

Re:Great summary quote (5, Interesting)

Hylandr (813770) | more than 4 years ago | (#32976774)

Having been a Navy contractor in just this exact field, my experience with govt / military jobs indicates to me that this is a lot of stovepipe rooster crowing.

Self important BS Hype to justify the tax dollars and get the pats on the back. The positive comments here for this 1.5m hack of snort is more than likely astro turfing. Up until now, I haven't even heard of Suricata.

Can someone provide a link where this has been in some mainstream IT circles being debated as Beta release candidates were released etc?

- Dan.

Re:Great summary quote (2, Informative)

Anonymusing (1450747) | more than 4 years ago | (#32976820)

Of course, Jonkman does not mention any features that Suricata has, which Snort does not, like multithreading...

Re:Great summary quote (2, Informative)

Sancho (17056) | more than 4 years ago | (#32977596)

Multithreading is really only a feature if it gets you some benefit (usually that benefit is increased performance.) There are reports which mirror my own findings that indicate that Snort performs much better on one core than Suricata. Snort's Vulnerability Response Team has a blog post that just went up on this exact subject--of course, they have a vested interest in promoting Snort.

http://vrt-sourcefire.blogspot.com/2010/07/innovation-you-keep-using-that-word.html [blogspot.com]

The same physical machine ran Suricata and Snort, and Snort ran almost four time faster:

"Suricata peaked at about 300 Mb/s without dropping packets, provided no rules are loaded.
With rules loaded, Suricata runs up to about 200Mb/s.
Snort, with rules, hits 894Mb/s with no drops" -- Internal VRT Report on Suricata Performance

Now they don't talk about their testbed, so I'm assuming the worst case for Suricata--single core. At four cores, then, Suricata could match Snort's performance. Scaling up further, it could in theory beat it.

Now Suricata is also taking an ethical stand against compiled rules, which I like--to a degree. I recognize that there are tests which are hard or impossible to perform using Snort's rules language, but at the same time, I want to be able to look at the rule and see how likely it is to be a false positive. Over the years, the VRT has put out some rules which I would consider laughable. In a highly tuned context, they might work okay. In a larger context (say an ISP or a university, where the sniffers don't necessarily control every machine on the network) they false like crazy. Snort doesn't publish any information on how likely a rule is to false, and so if I can't read the rule, I can't gauge that at all.

Re:Great summary quote (0)

Anonymous Coward | more than 4 years ago | (#32977122)

SELinux was a good investment of taxpayer dollars

Two million dollars for jail is not a good investment at all.

Re:Great summary quote (2, Insightful)

LWATCDR (28044) | more than 4 years ago | (#32977310)

I do not know if that is a fair conclusion.
Snort is single threaded.
Suricata supports multi-threading.
So with Snort you are tied to a single core. Not an ideal situation today.

This is starting to look a lot like KDE vs GNOME security throw down.
Snort has been stalled for a while. It is a great program but is not adding any new features.
Suricata is a new FOSS security system. If nothing else competition will make both of them better.
And as to the waste of money? Well maybe it was but I do not think so. If nothing else I feel it is GREAT that this is being done as a FOSS project.

As to the performance claims. What platform was running the tests? What was the load on the platforms? 8 to 10 Gbit/sec is going to do the trick for what Percentage of users? How many people have a single internet connection that matches that?
And being multi threaded Suricata may very well scale better than Snort in the future as we are going for more and more cores vs faster cores.
As I said sometime competition is a good thing.

Re:Great summary quote (2, Informative)

Sancho (17056) | more than 4 years ago | (#32977622)

Snort runs pretty fast, even if it only uses one core. If you can split your traffic, you can also run two instances of Snort on the same box. Not an ideal solution, but it's an option.

Once Suricata starts getting better performance, I'll re-evaluate it. For now, in our environment, Snort still outperforms it on the hardware which is within our budget.

Re:Great summary quote (1)

LWATCDR (28044) | more than 4 years ago | (#32979176)

But isn't it nice to have options?
And if nothing else it may encourage Snort to be even better.

Re:Great summary quote (2, Interesting)

Sancho (17056) | more than 4 years ago | (#32979242)

Absolutely. But usually, you need to be pushing the envelope in order to get your competitors to do the same. Suricata isn't there yet, so Snort can still rest on its laurels.

Re:Great summary quote (2, Interesting)

MikeBabcock (65886) | more than 4 years ago | (#32978676)

Multi-threading a stream isn't implicitly better. A lot of the work for analyzing a packet stream needs to be single-threaded anyway (or have a lot of locks, eliminating multi-thread benefits) because the packets are coming in one at a time.

Even if you were to break up the incoming packets into streams, then spawn or call a worker thread to handle each stream independently, you'd quickly become resource-bound (due to large numbers of simultaneous streams).

This isn't even remotely like KDE vs. Gnome. Neither is a fork of the other, and there were political issues as well.

Re:Great summary quote (1)

LWATCDR (28044) | more than 4 years ago | (#32979552)

Please stop the literal net. Yes I know that Gnome isn't a fork of KDE. But the picking sides in this case reminds me of the bad manners I see in Gnome vs KDE threads.

As to implicitly better or not we will have to see. What is so annoying is this circle the wagons and name calling mentality that is going on.
Snort is a great program. This is a competitor and brings some interesting new tech to the table.
Competition is a good thing Snort may improve because it now has some competition.
I am sure not going to complain that the government spent money on trying to make a better IDS and that they made it open sourced!
Not every open source program government or not works out and this one is still in the early stages.

Re:Great summary quote (1)

BitZtream (692029) | more than 4 years ago | (#32980318)

This was not, as far as I can tell.

Yet.

The keyword is yet.

SELinux was a shitty investment ... right up until the point where it became useful.

You don't start instantly doing better than your competition, thats simply not the way it works.

It does, to me, seem silly to recreate the wheel and keep it GPL. If my tax dollars are going to be spent I expect I more permissive license to be used.

I'm not okay with paying to have someone write GPL software with my tax money. I'll accept BSD, MIT, Apache, X11 and public domain. GPL is unacceptable.

So in short (5, Insightful)

Anonymous Coward | more than 4 years ago | (#32976680)

Okay, so a competing product comes out, they declare their competitor is dead, said competitor says "i'm not dead yet" and accuses them of being a cheap knockoff. Both sides continue to point out flaws or perceived flaws and throw FUD at each other.

Re:So in short (0)

Anonymous Coward | more than 4 years ago | (#32977576)

With the additional twist of US taxpayers funding the development of the competing product.

Confusing Story Considering Snort's Activity (3, Interesting)

eldavojohn (898314) | more than 4 years ago | (#32976686)

If you go to the page, 2.8.6-1 was released in April of this year [snort.org] . I guess that's a sign of recent life. Granted, 3.0 appears to be a year before that [snort.org] . I don't think competition between two open source projects is a bad thing. Hell, it's great for the end users. Roesch claims OISF's tool is way slower than SNORT. So let the two fight it out and reap the benefits.

I think the most serious claim against SNORT came at the end of the article:

"Sourcefire controls the intellectual property and the update cycle for changes. They use the install base of Snort to market their commercial solutions," Stiennon says. "I am not saying that is a bad thing for Snort users but it is limiting to the overall development of threat mitigation technology from the open source community."

If that's true, that is not cool. I hate it so much when I'm just trying install PDFCreator or some other GPL'd tool and part of the install process involves a default click box to also install Yahoo's toolbar in all my browsers. It's great to see companies back particular open source projects but I do not care for companies that take hold of the reigns and/or use it to propagate their own proprietary tools. It's one of the reasons I'll consider Flex better than Silverlight but never will I consider it open source despite the SDK source being available. It's got vendor lockin associated with it.

Re:Confusing Story Considering Snort's Activity (5, Informative)

martyroesch (589524) | more than 4 years ago | (#32977222)

That's not true, Snort development continues in the open and contributions are still taken from the community. We don't use the community to market our commercial solutions at all, in fact we have strict prohibitions against marketing commercial solutions on the Snort mailing lists.

Stiennon takes the next wrong step by saying that we're preventing the ENTIRE OPEN SOURCE COMMUNITY from developing threat mitigation technology. Completely wrong. You can still add your own patches to Snort either as a contribution to the project or as an external patch, Sourcefire does nothing to prevent that.

We also don't require that you install anything other than Snort when you grab it from snort.org, getting and installing Snort today is just like it was before Sourcefire started. If you don't have the problems that Sourcefire solves (scalability and manageability for the mid to large enterprise) you'd probably barely notice we're out there.

Re:Confusing Story Considering Snort's Activity (3, Insightful)

Animaether (411575) | more than 4 years ago | (#32977224)

I hate it so much when I'm just trying install PDFCreator or some other GPL'd tool and part of the install process involves a default click box to also install Yahoo's toolbar in all my browsers. It's great to see companies back particular open source projects but I do not care for companies that take hold of the reigns and/or use it to propagate their own proprietary tools.

Aren't those Yahoo! Toolbar, Google Toolbar, Google Earth, Ask.com default homepage, StarOffice etc. options implemented by the developer by choice in order to get a kickback (some fractions of dollars, I suppose) - rather than the companies behind these solutions 'taking hold of' the projects and inserting them?

Re:Confusing Story Considering Snort's Activity (1)

CAIMLAS (41445) | more than 4 years ago | (#32979822)

Indeed. In fact, using similar qualifiers of "dead", the following projects are "dead" as well:

* Samba (minor/bug releases in 3.5 last month; samba 4, which has been in development since the beginning of time, is still "alpha")
* Apache (we've been at 2.2 for how long now? 2.4 is nowhere in sight).
* Linux (2.6 is something like 6 years old now; the architecture is old and dated despite evolutionary changes. No plans for a 2.8 or 3.0. )
* gnome2/gtk2 (THese haven't seen any significant change in probably close to 5+ years now)
* probably 100+ other popular projects which see nothing much more than semi-frequent updates and fixes but are still used by many, many people. vim, Xorg, emacs, latex, cacti, etc.

But, guess what - in all of these projects, change is occurring. THey're still being patched and updated. With snort, there are 3rd party definition repositories which likewise get updated often.

In short: this article is bunk.

WTF? (1, Troll)

rgviza (1303161) | more than 4 years ago | (#32976706)

The linked article wins the title of Dumbass Article of the Week.

Re:WTF? (0, Offtopic)

orangeyouglad (1246256) | more than 4 years ago | (#32976792)

The submitter probably didn't have his or her cup of coffee yet. I no I haven't had mine.

Why, it's not Open Source . . . it's . . . (5, Insightful)

PolygamousRanchKid (1290638) | more than 4 years ago | (#32976744)

The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program . . .

Open Pork!

Re:Why, it's not Open Source . . . it's . . . (1)

steelfood (895457) | more than 4 years ago | (#32980918)

Open Pork!

Spice it up, cure it, and you've got youself some government-funded spam!

From the OISF site... (3, Informative)

Capt James McCarthy (860294) | more than 4 years ago | (#32976754)

"The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. "

You make the call.

Re:From the OISF site... (1)

kangsterizer (1698322) | more than 4 years ago | (#32976808)

My caps detector says it's probably bad!

ls is dead (4, Funny)

vlm (69642) | more than 4 years ago | (#32976776)

In other news, the ls command is also dead. When was the last major functional change for ls? When was the last time you saw a major support contract signed for the ls command? Note that I am accepting $1M contract offers to implement the next generation directory listing program, which I will be naming dir.exe, although I haven't decided whats more trendy, enterprise Java, ruby on rails, or maybe erlang?

Re:ls is dead (1)

silverglade00 (1751552) | more than 4 years ago | (#32976906)

although I haven't decided whats more trendy, enterprise Java, ruby on rails, or maybe erlang

Most trendy to use Lua so you can check your files right inside WoW.

Re:ls is dead (2, Informative)

skids (119237) | more than 4 years ago | (#32977238)

Hey, say what you will about Lua, for example "who in their right mind uses 1-based array indexing", but at least it has coroutines, which is more than lots of languages can say for themselves.

Re:ls is dead (1, Funny)

Anonymous Coward | more than 4 years ago | (#32978976)

Yeah but who in their right mind uses 1-based array indexing?

Re:ls is dead (4, Insightful)

blincoln (592401) | more than 4 years ago | (#32976908)

When was the last major functional change for ls? When was the last time you saw a major support contract signed for the ls command?

When was the last time the landscape of Unix-style directory listings changed significantly? Security-related products need to constantly adapt to new types of threat as well as new variations on older types.

Think about how much the world of computer security has changed over the last couple of decades. When I had my first dialup shell account with internet access, the idea that there would be a major black-market industry for professionals writing malicious code was literally science fiction.

Meanwhile, the standard Unix-style directory listing still seems to work fine for most people. I haven't looked into the more specialized (SELinux) variations, but I imagine if there were significant changes to the Unix filesystem security model (e.g. if very complicated NTFS-style permissions were implemented), then ls would probably be significantly extended so that it would accurately represent the additional information.

Re:ls is dead (2, Insightful)

drinkypoo (153816) | more than 4 years ago | (#32977022)

I imagine if there were significant changes to the Unix filesystem security model (e.g. if very complicated NTFS-style permissions were implemented), then ls would probably be significantly extended so that it would accurately represent the additional information.

POSIX.2 allows for ACLs and all major Linux filesystems (Among others, but that's my current area of expertise in computing) have support for them. No mention of "acl" or "ACL" in the manpage for ls.

Re:ls is dead (1)

An ominous Cow art (320322) | more than 4 years ago | (#32979662)

By coincidence, I happened to notice this yesterday:

C:\>ls --help
Usage: ls [OPTION]... [FILE]...
List information about the FILEs (the current directory by default).

ls version 4.3.169 2005/09 for Microsoft Windows.
Microsoft Windows extensions by Alan Klietz
Get the latest version at http://utools.com/msls.asp [utools.com]

    -a, --all do not hide entries starting with .
    -A, --almost-all do not list implied . and ..
            --acls[=STYLE] show the file Access Control Lists (ACL):
                                                STYLE may be `short', `long', `very-long'
                                                or `none'

This is Cygwin, obviously. So, ls has support for ACLs, but probably has to be compiled in and is probably OS-dependent. I have not looked at the source.

Re:ls is dead (1)

Rysc (136391) | more than 4 years ago | (#32979776)

Try the info pages maybe? In fact the output of ls -l could be altered to include ACL information, but it would not be very practical as there could be a lot of it. I wouldn't be opposed to some kind of sigil indicating "ACLs exist for this file" - that would be useful, then I could know to getfacl for details.

Re:ls is dead (2, Insightful)

amorsen (7485) | more than 4 years ago | (#32977054)

(e.g. if very complicated NTFS-style permissions were implemented)

They are, it's just that nobody uses them. Well except me. Linux with ext3 has had them for ages, and e.g. HP-UX had them in '94 -- probably earlier, but that's when I used them for the first time.

ls doesn't do much useful with them on Linux though. You need getfacl/setfacl for that.

Re:ls is dead (1)

value_added (719364) | more than 4 years ago | (#32977340)

They are, it's just that nobody uses them. Well except me.

Nobody uses them on Windows either (past accepting the defaults), so you are special. Just like mom told you. ;-)

Getting back to the original off-topic topic, I'm wondering how you'd think 'ls' could display ACLs and maintain standard columnar output. The fact that you can't get a simple, clear, easy to understand and use octal representation, for example, is, I think, one of the many reasons people stay away from them.

Re:ls is dead (0)

Anonymous Coward | more than 4 years ago | (#32979728)

I'm wondering how you'd think 'ls' could display ACLs and maintain standard columnar output.

They've had this in Windows NT forever, it's called the "Centuries-Ahead Clone of LS", aka cacls.exe ;c)

I (ab)use them (0)

Anonymous Coward | more than 4 years ago | (#32980740)

NT ACLs extend far beyond the file system. Pretty much everything can have a security context, all under the same model. Filesystem objects, running applications, devices, windows, sessions, you name it, it probably has an NT ACL context. I have used this to create a complete system and domain wide tagging system by attaching a powerless dummy user to anything that needs a tag context and storing various criteria in that user's active directory record. I have a handful of users and groups (4 of each) which can be combined in several ways to create over 100 different "tags" that can be assigned to any object, with minimal resource usage.

Re:ls is dead (1)

Jorl17 (1716772) | more than 4 years ago | (#32978326)

Good way to refute his argument. The thing to learn is: "Analogies suck, stick to something better". Yeah, I love the vague "something better" as well.

Re:ls is dead (0)

Anonymous Coward | more than 4 years ago | (#32979754)

No telling how much suffering has been set upon the world because of bad analogies.

Re:ls is dead (0)

Anonymous Coward | more than 4 years ago | (#32980382)

f there were significant changes to the Unix filesystem security model (e.g. if very complicated NTFS-style permissions were implemented)

You mean something like EXT4? Check, done.

Snort's just fine (4, Insightful)

guruevi (827432) | more than 4 years ago | (#32976788)

It may not be developed on very actively but that's because it doesn't need to be. It does everything it needs to do and for the rest, the community and any capable sysadmin can make their own rules. At some point the product is finished and all you can do is bugfix it. Adding features makes stuff bloated and is only necessary if you need to sell the stuff in a commercial setting. That's the power of open source, once a product is finished, it's done with. Eventually somebody will rewrite it (if the code is really bad) or make it run better (if architectures change) but a well-written program won't need either in the near future.

Look at the rsync library. The only thing that was fixed recently is a 64-bit handle to allow for files larger than 4GB to be handled. I don't believe the original programmer is even around anymore to fix stuff on it since the 4GB patch is not included in the official rsync distribution. But it's still widely used without any problems, works as intended and isn't going away soon.

Re:Snort's just fine (2, Informative)

ta bu shi da yu (687699) | more than 4 years ago | (#32976850)

What, Tridgwell isn't accepting patches? Someone call UNSW!

Sig reply (1)

daeglo (1822126) | more than 4 years ago | (#32976954)

One's right to life, liberty, property, speech, press, freedom of worship and assembly may not be submitted to vote

Are you certain about this? Perhaps we should have a poll about this.

-- It may be flamebait, but it's funny.

Re:Snort's just fine (0)

Anonymous Coward | more than 4 years ago | (#32976978)

It's actively developed, 2.8.6 just came out awhile ago, and 2.9 is in progress. Anyone who thinks differently is obviously stupid.

Re:Snort's just fine (1)

Trivial Solutions (1724416) | more than 4 years ago | (#32977172)

I think you want the libel article just below in slashdot

Yeah (1)

Frogbert (589961) | more than 4 years ago | (#32976794)

If there is one thing that is terrible for prompting innovation it's competition. I predict both programs will fade into obscurity within 6 months.

Snort is live. 3.0, OTOH... (5, Interesting)

savanik (1090193) | more than 4 years ago | (#32976948)

.... is pretty much DOA.

Speaking as a security professional, we could REALLY use multi-threaded support in our Snort deployments, and the last time I heard 'multi-threaded support is just around the corner' was in 2008.

Right now, the fact that one Snort instance runs as one process linked to one interface in your ethernet stack means that only one core can run it. And with us hitting the plateau in computing speed on a per-core basis, and traffic still increasing, multi-threaded support had better show up in the next couple of years at the latest or I'll have to find some other network-based IDS product, at least for some extreme instances.

North Texas Snort Users Group (3, Informative)

technoid_ (136914) | more than 4 years ago | (#32977070)

Just a heads up. The North Texas Snort Users Group is being revived. I have nothing to do with it, but heard about it at the North Texas Linux Users Group (NTLUG) meeting.

Check out nt-sug.org. [nt-sug.org]

Technoid_

Snort's not dead... (5, Insightful)

martyroesch (589524) | more than 4 years ago | (#32977120)

I should know, I wrote it.

Snort is developed at Sourcefire these days, the company I started and where I still serve as CTO. I am the lead developer on the Snort 3.0 project right now which is undergoing restructuring after the initial few releases showed performance issues that we weren't ready to live with.

Snort 2.x is developed by Sourcefire's engineering team, we release several updates a year to the code and updates to detection almost weekly via the Sourcefire VRT. I don't work on the 2.x code base day to day anymore but I do contribute from time to time. Snort 2.9.0 is slated for release this fall and continues 12 years of development on the engine technology which includes some significant innovation in the field of intrusion detection.

My issue with Suricata is that it has implemented the exact same *detection model* as Snort, it does nothing new from a detection standpoint but wraps it in a multithreaded framework that they're trying to call innovation all on its own. True innovation would be to develop a new way of detecting threats on the wire and they haven't done that, they effectively have implemented the same idea as Snort (processes Snort rules, buffers streams into chunks before processing, etc) on a slower software platform. They implemented what is effectively a Snort fork and did so at taxpayer expense, they got the government to pay them to develop something that the government already gets for free (Snort's detection model) with less features and lower performance.

Someday Suricata might be a really interesting engine but to go out to the press in a concerted push and advance the idea that "Snort is dead" reflects a stunning amount of hubris and wishful thinking. Snort is the most widely deployed IDS/IPS on the planet, there have been millions of downloads and there are hundreds of thousands of registered users and the community is still growing steadily. Snort's engine development is still moving forward and we have plans to continue to innovate in the field of intrusion detection. If the Suricata team wants to displace it they have a tremendous amount of work to do, they're not even close yet.

Re:Snort's not dead... (1, Informative)

Rogerborg (306625) | more than 4 years ago | (#32977580)

Here's the difference, Marty.

When I go to SourceFire, I see plenty of ways for me to investimentise in my partneritude, but I can't for the life of me seem to find the source of your "open source" product.

When I go to Suricata, the source link is right there on the front page.

Re:Snort's not dead... (0)

Anonymous Coward | more than 4 years ago | (#32977734)

If you're looking for the source for Snort, try looking at snort.org. It's only been there for about ten years now.

Re:Snort's not dead... (4, Informative)

rotide (1015173) | more than 4 years ago | (#32977748)

Did you even look at the downloads page?:
http://www.snort.org/snort-downloads [snort.org]

Second link is "source".

If you want the 3.0 source go to:
http://www.snort.org/snort-downloads/snort-3-0/ [snort.org]

Maybe these weren't the sources you were looking for?

Re:Snort's not dead... (1)

Rogerborg (306625) | more than 4 years ago | (#32978588)

When I wrote "SourceFire site", you read "snort.org" because...?

Re:Snort's not dead... (1)

h4rr4r (612664) | more than 4 years ago | (#32978892)

Because you went to the wrong website. That one is just for commercial support, they keep it separate to show their seriousness about FREE software.

Re:Snort's not dead... (1)

X.25 (255792) | more than 4 years ago | (#32978956)

When I wrote "SourceFire site", you read "snort.org" because...?

Are you going to keep showing how stupid you are, or you think it's time to stop?

Please go to http://www.ibm.com/ [ibm.com] and try to find their opensource projects on the front page.

Re:Snort's not dead... (1)

_Sprocket_ (42527) | more than 4 years ago | (#32979946)

When I wrote "SourceFire site", you read "snort.org" because...?

When you wanted to get source code for snort, you went to SourceFire's web page because...?

Re:Snort's not dead... (0)

Anonymous Coward | more than 4 years ago | (#32981000)

When I wrote "SourceFire site", you read "snort.org" because...?

Probably because you were wrong and stupid and the others were trying to help you out.

You acting like a twit just proves the point.

Deal with it.

Re:Snort's not dead... (1, Redundant)

Martin Blank (154261) | more than 4 years ago | (#32977786)

That's because you went to the commercial site. Try going to the Snort site, and click on the big "Download Snort" link. I'll even provide the URL here:

http://www.snort.org/snort-downloads [snort.org]

It's right under the "Source" heading. Not really hard.

Re:Snort's not dead... (0, Troll)

X.25 (255792) | more than 4 years ago | (#32978716)

Here's the difference, Marty.

When I go to SourceFire, I see plenty of ways for me to investimentise in my partneritude, but I can't for the life of me seem to find the source of your "open source" product.

When I go to Suricata, the source link is right there on the front page.

I know that using a brain is hard, so I am always willing to help.

So, here is what you do:

1) Go to http://www.snort.org/ [snort.org]
2) Click on "Download Snort" icon
3) Download Snort

Yeah, I know, it was hard.

Re:Snort's not dead... (2, Funny)

Gerald (9696) | more than 4 years ago | (#32978770)

I went to linux.com and for the life of me I can't find any Linux source code. You're right. These people are losers.

Re:Snort's not dead... (1)

jrouleau (1829808) | more than 4 years ago | (#32978078)

I will agree with you from the standpoint that SNORT is not dead and that it was / is very innovative in the IDS/IPS Space, however, Suricata seems to me to have simplified some things for those who are using the product. From web page layout to finding the exact source code that is currently in production. So from a logistical(?) standpoint finding what you want with Suricata is or seems much easier than SNORT. In addition, true multithreaded handling is an innovation from the standpoint it now balances amongst all the processor cores instead of locking to a single core. You can/do see a difference once you put it under load, so as to being slower I will have to call Baloney on that.

Again, I will agree that they should not have been out saying SNORT is DEAD but should have been touting the improvements that have been made. I for one wait to see what happens with Snort v3.0 and if it will also take to a true multithreaded approach.

To me the overall seems as if You may not be happy that someone beat you to multi-threading and now you stand in a position to play catch-up but I have confidence you will be able to handle it. Intersting times and all.....

Re:Snort's not dead... (2, Informative)

seek3r (165710) | more than 4 years ago | (#32978286)

I have to agree that Snort is not nearly dead. The team at Sourcefire is working to improve the capabilities of both the open source Snort and the commercial product. With the integration we have put together with NTOSpider [ntobjectives.com] (web application security scanner) where NTOSpider is able to generate custom Snort rules for web application vulnerabilities it discovers, this can make Snort a reasonable Web Application Firewall (when in block mode) for accomplishing virtual patches to completely custom web apps. As the Sourcefire team continues to push integration and the Snort rules format to other complimentary technologies, I see an interesting level of advancement on the horizon.

Re:Snort's not dead... (1)

BitZtream (692029) | more than 4 years ago | (#32980416)

Why are you so defensive then?

I use Snort, you're right, I'm not going anywhere any time soon, but why are you so defensive over it.

They added multithreading, which you have not, and otherwise you say they are the same (who am I to argue with the guy who wrote one of them). That does indeed sound like an improvement (assuming its not a horrid implementation).

You used a source code license that permits forking and someone did it and released it with some info about it and you're getting upset.

So they did what basically equates to name calling, big deal, stop throwing a temper tantrum over it.

Angry (2, Insightful)

C_Kode (102755) | more than 4 years ago | (#32977258)

Martin sounds angry. Suricata is new, I wouldn't expect it to blow away the competition at such an early stage. High speed/quality IDS/IPS isn't something that you can xerox off new competitors in 15 minutes. I suspect it's like Firefox's new scripting engine. It was initially slower than the old one, but with time it will overtake it.

Martin makes his money off Snort and doesn't want other free software encroaching on his livelihood. Well Martin, maybe you should put forth more effort into Snort rather than just resting on your laurels.

Re:Angry (1, Informative)

Anonymous Coward | more than 4 years ago | (#32977554)

Sounds more like Martin is clearing up some of the FUD. FUD spread by the Suricata camp....much like M$ spreads FUD against linux, etc.

Ever notice? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#32977360)

Ever notice how funded "non-profits" and new commercial efforts always start by declaring the open source version "dead"? That's a bit like Tesla motors coming out and declaring Ford dead. Whether or not it is true that "Ford is dead", the "competition" has a serious conflict of interest and is in no way qualified to make the declaration. In fact, their need to make such declarations indicates that it is actually far from true.

A better wording for the OISF:
"We think our product is better and we wish Snort would just go away, because we are so tired of hearing from our potential customers 'We use Snort, and it does all that already, why would we switch?'."

OISF is also probably getting really tired of trying to justify every year the expenditure of taxpayer dollars to support a capability that Snort already provides for free. If they really had such a great capability, they wouldn't have any need whatsoever to spread Snort bashing FUD.

OT: Dear Slashdot Admins: PLEASE FIX the mod box (2, Interesting)

Qubit (100461) | more than 4 years ago | (#32977716)

I'm forced to post something in this thread to throw away an accidental mod of "Troll".

If the moderation box gets focus for any reason, it's going to fire off and moderate the person once you exit it. No ifs, ands, or buts.

So here I am, having to throw away 4 or 5 reasonable (well, I thought so, anyway) mods to this article in order to not unfairly peg someone as a Troll.

Plus I have to write this lame post. I mean, who wants to see this lame post?

Sincerely,
-- Us

Run away (1)

imakemusic (1164993) | more than 4 years ago | (#32977806)

So...some say it's alive, some say it's dead.

Obviously the only answer is removing the head or destroying the brain.

GPLv2 Plus "Non-GPL" (2, Interesting)

PSaltyDS (467134) | more than 4 years ago | (#32977810)

From the OISF Download page:

"The Suricata Engine and the HTP Library are available to use under the GPLv2."

Followed on page 2 of same by this:
"Membership in the OISF Consortium Group provides a non-gpl limited license for the Suricata IDS engine in return for ongoing support. There are multiple tiers available for consortium participation that simplify the varying levels of support and involvement possible for all types of interest. Contributions may range from man hours in development assistance, technology donations, hardware and infrastructure, to financial assistance."

I get that if the code is their copyright, they can dual license at will. But doesn't the above mean any contributions from either a community or "Membership" cannot themselves be GPL, since any code accepted will in turn be distributed "non-gpl" among the membership? Also, are there "multiple tiers" of "non-gpl limited license"?

Re:GPLv2 Plus "Non-GPL" (1, Informative)

Anonymous Coward | more than 4 years ago | (#32977972)

Contributors need to sign the Contribution agreement. It can be found here. http://www.openinfosecfoundation.org/index.php/contributors

--
User hereby irrevocably and perpetually assigns, transfers, conveys and sets over to OISF, and OISF hereby accepts the assignment, transfer, conveyance and set over, User's entire worldwide and perpetual right, title and interest in and to the Materials including but not limited to all Intellectual Property Rights in the Materials. User will give OISF or its designee all assistance reasonably required to register, perfect, enforce and apply for and obtain in OISF's name patent, copyright, trademark and other Intellectual Property Rights in any and all jurisdictions
-

Mod parent UP ! (1)

AftanGustur (7715) | more than 4 years ago | (#32978458)

This is probably why OISF is taking a dump on Snort, it's a trick to get attention to their soon-to-be-commercial product !!

Re:GPLv2 Plus "Non-GPL" (1)

zefrer (729860) | more than 4 years ago | (#32978680)

"I get that if the code is their copyright, they can dual license at will. But doesn't the above mean any contributions from either a community or "Membership" cannot themselves be GPL, since any code accepted will in turn be distributed "non-gpl" among the membership? Also, are there "multiple tiers" of "non-gpl limited license"?"

I think you misunderstood. If you obtain a copy of the source code that is licensed and distributed as GPLv2, as they claim to make available, and you then make a patch for that code then your patch must also be available under GPLv2. Otherwise there would be a license violation.

On the other hand, if you buy support, they will give you the source code under a non-gpl license which they have every right to do since they own the copyright for the original source. This can not contain any GPLv2 only code (unless under the original GPLv2 license), say from contributors that got the code under GPL. This is mainly for companies wishing to make changes to the code without having to release their changes under the GPL.

That said, requiring a 'support contract' so that they provide you with the code under a different license is pretty low.

Re:GPLv2 Plus "Non-GPL" (2, Informative)

BitZtream (692029) | more than 4 years ago | (#32980434)

And this is handled all the time by saying 'when you contribute code, you transfer the copyright to us' and then its over.

Re:GPLv2 Plus "Non-GPL" (1)

turbidostato (878842) | more than 4 years ago | (#32980928)

"The Suricata Engine and the HTP Library are available to use under the GPLv2.
[...]
Membership in the OISF Consortium Group provides a non-gpl limited license for the Suricata IDS engine in return for ongoing support."

Mix the two and what you get is:

1) Suricata is open to "tivoization" (which is quite a concern for a kind of software that naturally tends to be offered in a "black box" model).

I don't think I'll consider Suricata on my environment any time soon.
2) In order to be part of the community you should pass away copyrights for the fruits of your job to OISF which in turn is free to close development of future versions of the software at any time.

Snort's Better (2, Interesting)

helix2301 (1105613) | more than 4 years ago | (#32978090)

Snort is not dead Snort is a superior tool for network detection. Snort can be ran as a simple dump tool all the way to integration a MySQL database for analyst. Companies build snort into there tools like AlienVault and many others. Snort is a veteran tool that can do packet sniffing, packet logging and full-blown IDS. Snort can also be used with other veteran tools like Barnyard and Sguil. Suricata looks like a great product but it's not Snort.

FailZors.. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32978686)

For those interested (0)

Anonymous Coward | more than 4 years ago | (#32981224)

OISF sent out an update this afternoon:

The Phase Two kickoff meeting for Suricata and the OISF was held in San
Francisco last Friday. We had some great discussions, these meetings
have proven to be invaluable. Thanks to all who attended, many great
ideas were exchanged and discussed. The goals of this meeting were to
review where we are in Phase One development, lay out Phase Two major
features, and bring in new ideas and challenges. These were accomplished
quite well!

Below is a discussion of where we believe we should go with Suricata for
Phase Two. This is only the beginning of the conversation, we know
everyone interested can't be at one meeting. So please consider this a
starting point and we'll continue discussion on the mailing lists.

Status

Overall, the engine is in a great state. We are much further into
development than we had expected at this point, we've solved many
technical issues we expected to be pushed to Phase Two. I have to say
I'm honored to be just near a team of developers with such talent and
dedication. Our contributors and consortium members have brought
everything we didn't have available to put this incredibly complex
engine together. My thanks to everyone who's contributed, but we have a
long road ahead of us.

We had originally intended to end Phase One with the 1.0 release and
move directly into Phase Two development. Phase One was the more
traditional features and the base functionality for the engine, then
Phase Two would be the most experimental features. We have decided to
push Phase Two development off a few months to put more time into
stabilizing and performance tuning the base engine. We need the time for
performance tuning, but also our funding for 2010 is due in September,
and the foundation is low on resources. So we're limiting development to
1.0.1 bugfixes and performance tuning for the next month or so. We'd
also like to see how this release performs and works for the community,
so get your feedback in. Phase Two features are very experimental, and
will take significant amounts of time to perfect, so we're gathering our
resources to attack this on all fronts.

So for this Interim period here are our goals:

Complete Architecture Documentation
Significant Performance Optimization
More Easily Configurable Run Mode Support (Endace has offered to
complete this)
Error Code Cleanup and Documentation
Full Documentation (community editable docs)
Advanced Profiling and Engine Statistics Module
Accuracy Improvements
Added Protocol Detections
Classifications Update (support a more elegant definition system)
Full 2.8.6 Syntax Compatibility
Better LibHTP Error Handling
Heavy Inline Testing

The Features to be pursued in Phase Two are:

High Priority:
Max Inspection Time Cutoff Setting (while inline set a packet loose to
avoid latency but still process)
File Capture and Extraction in Stream
REGEX Optimization/Acceleration (possibly using alternate regex libraries)
Live Ruleset Updates
Flow Logging (Netflow output)
Add Replace keyword support
Host attribute scrubbing (strip OS identifying oddities)
URI Matching lookups (stopbadware, websense, etc)
Full CUDA Support

Phase Two Low Priority:
IP Reputation - Explore other items, dns, etc
Distributed Blocking
Global Flowbits and flowvars
Full Stream Capture (rotating pcap support)
Traffic Redirection (bait and switch style)

We have a huge list above, and we need your help. Ideas, code
contributions, help in documentation, help in translating documentation,
and financial and hardware support are needed. We welcome input from any
source!

Please join the OISF mailing lists
(http://lists.openinfosecfoundation.org/mailman/listinfo) for more info,
discussion, and to follow developments. If you'd like more information
about consortium membership or ways you can help out please email
consortium@openinfosecfoundation.org, or myself directly at
jonkman@openinfosecfoundation.org.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>