Results 1 to 7 of 7

Thread: Snort Sniffs Out a Commercial Future.

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Snort Sniffs Out a Commercial Future.

    After reading this article I only could ask myself: - Will Snort be a fully commercial product or will there be open source alternatives?

    Source: www.securityfocus.com

    Snort Sniffs Out a Commercial Future

    The creator of the popular open source intrusion detection system gets megabucks in venture capital for a Snort start-up.
    By Kevin Poulsen
    Feb 14 2002 1:39PM PT

    The commercial potential of open source security products won a financial vote of confidence last week when the author of the hacker-busting freeware program Snort pulled in $2 million in venture capital, and moved his year-old start-up company out of his suburban Maryland living room.

    Martin Roesch wrote Snort as a lightweight intrusion detection system in his spare time in 1998. The program quickly became hugely popular: one vendor estimates there are 100,000 Snort installations worldwide, and the project's official Web site boasted nearly 10 million downloads in it's first year of operation. The software's been ported to nearly every operating system platform, and the documentation translated into at least seven different languages.

    What Snort lacked was the user-friendliness and commercial support demanded by corporate IT departments. With that in mind, Roesch launched Sourcefire in January, 2001, to build a commercial-grade appliance with Snort at the center. "You don't have to be a guru to run it, and its faster and easier to run," says Roesch. "So the guys that need to go to their bosses and get approval, if they need a commercial entity backing their IDS engine, we give them a place to go."

    Of course, others have had the same idea. Silicon Defense, which has contributed to Snort, began offering commercial support for the free IDS last March, and sells a sensor appliance of its own, while Guardent recently rolled out an all-in-one open source security box that bundles Snort with the IPTables firewall program and the Nessus vulnerability scanner.

    IDC analyst Chris Christiansen says there are still more commercial incarnations of Snort on the way.

    "We've seen a number of companies that intend to sell Snort-based security products on a commercial basis in the last few months," says Christiansen. "It's gaining a lot of credibility. It's coming out of the open source space and its looking like it going to be a significant revenue generator."

    As the head of the open source project, Roesch hopes that Snort's credibility will accrue to Sourcefire. Either way, he's gearing up for the competition, moving the company into an 8,000 square foot furnished office in Columbia, MD, interviewing for new hires and sniffing out a CEO. "We're going to hire on the order of at least twenty to thirty people fairly rapidly," says Roesch. ""I've started calling my friends and saying, it's time to get on a plane. It's go time."

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    Given the way I understand new signatures are created for snort...

    i.e. people who use the software capture the traffic, figure out what is going on, and then write a filter to detect it, and then submit the filter..

    I cant imagine that snort would not continue to be available for a while at least, as an open source application. One of the biggest problems with IDS is the very small number of signatures which are available for most of them. creating new signatures for new attacks, or even, creating new signatures for old attacks that dont have them yet, is essential.

    If snort continued to be available to download and use freely for those who wish to, the company simply gets some free developers.

    It sounds to me like they are simply going to sell an easy way for companies to get into the game. i.e. OS and Snort preinstalled/tuned with a gui, and a support agreement for when clueless IT people screw the system up.

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    There is nothing that I know of that is leading me to believe Snort will not remain open source. What this article is refering to is the products that have come out on the commercial market that use the Snort engine. There are several of them out there and they are not a bad solution at all if you don't want to take the time to do all the customization and configuration yourself.

  4. #4
    Ugh, I like Snort, that's a reason that they should respect to keep Snort free

    lol.... j/k

    Snort has been missing commercial support until Marty Roesch started *fire <sorry, can't remember the exact name > yet Snort is considered limited compared to other IDSs.

    One facility it has missed was the ability to

    1)interact with attacks <lately changed with the --enable-flex-resp>
    2)ability to drop an attack <like hogwash does>
    3)ability to ask the fw to block an attacker permenantly <aka. SAMP for those familiar with CP>

    Another really bad thing that I hate Snort for <hey, I don't hate as in I-wont-use-it, I mean it's a lack> is it's ignorance <similar to those FW vendors> that don't provide a programming language for it. NFR provides N-Code wich is similar to the concept of INSPECT for CP. N-Code allows me to do whatever I want with my IDS making sure that it would produce the lowest number of false-positives and negatives.

    With that said, I consider Snort a perfect product

    Note : I like this post, I think i will write a Snort resource for CP that uses SAMP to block intruders anyone interested?

    etsh911

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    I AM INTERESTED!!!

    Of course...let me know how it turns out...

  6. #6
    Originally posted here by iNViCTuS
    I AM INTERESTED!!!

    Of course...let me know how it turns out...
    Well, I'm just here to drop a line about it. I've got a SAMP module written and working <tested > but with Prelude's engine, Prelude outperforms Snort in every thing. I just love it...
    Anyways the project will continue, and it will NOT stop or have a change. I will continue my work with prelude and then port it to Snort

    Here's an excerpt of what I think of it...

    u create a URI resource that uses UFP, in the match field u choose the Snort dicitionaries that you want for this rule and then you set it to use a CVP server <ur Snort system> in Read mode, and so the rule would look like "any webserver http->Snort accept" and the server would report back into the FW-1 logging module and block attackers using SAMP, so what do u think?


    Hope this thing works and gets me a decent job at a decent place
    etsh911

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Once again mrwall, you have gone above and beyond.

    This really sounds awesome and definately sounds like it will work in concept. (although i have not yet tried it of course )

    Please continue to keep up updated, and maybe when everything is complete you can write a short tutorial for us

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •