On Mar 16, 2005, at 4:25 PM, David W. Goodrum wrote:
Actually Marty, I think the reason Snort is so popular is because it's
freely available, not becuase your signatures are open. I can tell
you that NFR does not have nearly the userbase that Snort has, and
yet, our signatures are openly readable... The difference? NFR is not
a free product. Back in pre-2000, when NFR had the research and
development version of the product available for free, we had a ton of
downloads of the free product. It had nothing to do with the open
signature language we use... it was simply the fact that it was free.
I don't think anyone would disagree that being free is one of the
reasons for Snort's popularity but it's also popular because it's a
good technology. One of the reasons that people stick with Snort once
they get past the initial "let's put some free stuff on the network and
see how it works" phase is because it's predictable and transparent and
it works.
I once had the VP of Engineering of a large network security company
try to talk me out of starting Sourcefire because "the only reason
people use Snort is because it's free, nobody will pay for it". I
didn't agree with that concept back then and I've since proven that
being free is just one reason people use Snort initially, the really
interesting thing is that they keep using it even when they have budget
and a mandate to deploy a detection technology. I can only imagine
that there's more to it than the low initial cost of entry, we all know
what happens to costs once you've got a 50 of these things cranking out
events.
I agree with your comments about writing good signatures. We released
a whitepaper a couple of years back in an effort to teach people how
to write good signatures using the NFR product, and even though we've
had our signatures openly readable since day 1, we've never had a
remote exploit. (well okay, we didn't actually have signatures on day
1, but you know what i mean. ;) )
All code has bugs. Just because there aren't any bugtraq entries for
product XYZ doesn't mean that it doesn't have (or never had) any
security issues. Operating in the open forces you to adopt a pragmatic
stance with regards to recognizing and dealing with security issues in
your code and that's a mode that I don't mind operating in and I
believe that the user community by and large appreciates it.
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend. - http://www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention -
http://www.snort.org
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
