|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Intrusion
Detection Systems:
Snort & Sourcefire
Marty Roesch is the man behind two popular intrusion detection
solutions. He began developing the open source project Snort in 1998 and
last year, he founded Sourcefire, Inc. to offer an appliance-based version
of the system.
[May 15, 2002] |
 |
Four years ago while in the process of developing an unrelated application, Marty Roesch found that he needed a way to analyze network traffic in detail. After spending a month exploring different ways to accomplish this task, he released the results as an open source project. "I figured it would be something fun to do on rainy weekends instead of playing Quake or watching TV," he said. "It started as a weekend project—and got way out of hand."
Roesch's project, Snort,
evolved gradually over the following year. He says the key to Snort's
ultimate success really came down to just sticking with it. "It's an ongoing
process," he said. "I would build the things I found interesting and release
them open source, get a little feedback, make improvements to add features
people wanted, get more feedback—and it would just cycle like that."
|
Snort
&
Sourcefire |
 |
In the fall of 1999, Roesch took a step back and re-engineered the system to change from what he describes as a sniffer with limited intrusion detection functionality into a flexible and extensible intrusion detection system. "That's when it really caught fire and started to take off," Roesch said. "Now it's a very big open source security project. We get about 75,000 hits a day on Snort.org."
In many ways, Snort is a great example of the power of the open source community. "Instead of having market research show us the next feature to put into the system, the guys who are using Snort say, 'Gee, it would be nice if it did this,'" Roesch said. "Once we get enough heads nodding, then we go out and build it. We have a really tight feedback loop between users and developers. We're customer-driven like nobody's business."
Roesch says Snort's greatest strength lies in its flexibility, in the fact that you can adjust it to handle intrusion detection however you want. "It's just fun to use," he said. "People really fall in love with the fact that they can tell Snort what they want to see, and Snort tells them what it sees. Very few other intrusion detection systems actually let you do that."
That flexibility, he says, was central to Snort's architecture. "Most intrusion detection systems come with an attitude of, 'The customer doesn't know how to use this, so let's weld them into our way of doing it,'" he said. "When I built Snort, I said, 'I have no idea how to do intrusion detection on your network, so I'll build a system that's flexible, give you a bunch of defaults, and then you can shape it however you want.'"
Two years ago, Roesch began to consider developing a commercial version of Snort. While the open source project was popular, it had its limitations. "I'd have people tell me, 'Really nice system, Marty, but we can't deploy it,'" Roesch said. "Either they couldn't use open source software, or they couldn't use unsupported systems, or they couldn't use anything they couldn't buy."
The next step, Roesch says, was obvious. "You can only hear that so many times before little red lights start going off in your head," he said.
Take
a snort
Roesch founded Sourcefire,
Inc. in January 2001 to offer the power and flexibility of Snort with
the ease of deployment only a commercial application can offer. This past
February, the company released its first products, the OpenSnort
Sensor appliance and the OpenSnort
Management Console (left).
The areas that needed development for commercial deployment, Roesch says, had been made clear in recent reviews. "They were highlighted pretty strongly for us in the Network Computing reviews last August," he said. "Snort came in third out of a field of ten. The things they said it was lacking were manageability, ease of installation, and ease of use."
Roesch says Sourcefire's products were developed for the people who are struggling to make Snort manage the volume of data they need to cover. "What Sourcefire gives them is a plug-and-play solution they can just drop in and it does the job," he said. "That's really valuable, because the number of people who want to sit and write Perl scripts all day to master intrusion detection sensors is pretty limited."
In addition, Sourcefire solves one of the most significant concerns that many large organizations have regarding Snort. "An open source system gives management conniption fits, because if the guys who built the thing go someplace else, then you're left holding the bag," Roesch said. "With Sourcefire, you have a company backing it up—and it's just as powerful and flexible as the open source system was."
As a result, Roesch suggests, you get the best of both worlds. Management gets the reassurance that the system has the backing of a commercial company, and if the people who install the system move on, Sourcefire will be there to train the new employees to use it—and network administrators still get a system that's flexible enough that they can play with it and adapt to their own needs.
Finally, Roesch adds, Sourcefire offers a complete solution in a way that few other vendors do. "All our stuff is integrated, so our systems are literally self-contained," he said. "They can interoperate if you have an external database, but that's not required at all. Customers really like that solution-oriented approach: they like the fact that it's plug-and-play, and you don't have to buy anything else to get it to work."
Bilateral sniffing alternatives
Roesch sees Snort and Sourcefire as two different solutions aimed at distinctive
markets. "The idea of Snort was to give people the best free, open source
intrusion detection system we could, and we were pretty successful at
that," he said. "The idea of Sourcefire is to say, 'Okay, we've got good
intrusion detection technology: let's add everything else people need
to use these systems effectively in large organizations.'"
And that's not to say that large organizations can't use Snort without the backing of Sourcefire. Roesch says some of the biggest companies in the world use Snort. Sourcefire just adds the manageability along with ease of use and deployment that many enterprise customers are looking for in an intrusion detection system.
Sourcefire's OpenSnort Sensors cost $9,995 each, and the OpenSnort Management Console costs $19,995. Various service contracts are available, ranging from a platinum level with around-the-clock support to a standard contract with per-incident support and e-mail discussion list access. Training on Sourcefire's products is also available. Training on IDS and forensic analysis in general is planned for the near future.
Snort, of course, is free.
Ultimately, Roesch says, any decision between the two comes down to how much time you're willing to put in. "Sourcefire lets you deploy Snort in volume if you're not interested in writing your own management system," he said. "If you have the manpower, time, and patience to develop a management system, go for it—but if you want to do intrusion detection instead of intrusion detection management, get Sourcefire."
— End
Online Resources:
Intrusion
Detection Systems Directory
IDS
Quick Reference Chart
| Related articles: | ||
| [Dec. 24, 2001] | White Paper: Reducing Network Security Risk | |
| [Sept. 25, 2001] | Physical Security Augments Logical Security | |
| [July 11, 2001] | ISP-Planet Survey: MSSPs | |
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
