Snort mailing list archives
Re: Snort project update
From: Wayne T Work <wwork () cybergnostic com>
Date: Wed, 03 Oct 2001 01:50:32 -0400
Marty,Sound like your are moving forward very well and welcome back to RAT Race. Ya need to stop having so much fun at the SANS conferences. They will wear ya out but they are great for info, fun and meeting geeks like us.
I understand that you might be looking at building out appliance like sensors. Maybe even Sun boxes with the new 1U Netra. Nice little box. The Cobalt looks like a pretty snappy box too. The Cobalt server offer a great deal of Preconfiged Software stuff for snort. Linux on an Intel Architecture. BUT I still like the speed of the SPARC architecture and its inherent ability to used it's internal resources such as memory without gasping for air. Just MHO. I do a LOT of NT as well as Linux and Solaris thru 8.
Keep in touch. Please send me ANY info on your future endeavors. I work for a MSP that has a great future in Security offerings.
Talley Hooooo!!!!!!!! At 01:11 AM 10/3/2001 -0400, Martin Roesch wrote:
Hi everyone, As you've probably noticed, I've been nearly invisible lately due to a number of factors including my (now 2 month old) daughter, Sourcefire and all the things that go along with trying to start a company during a recession, presentations (3 SANS + BlackHat since July, 3 more SANS in Oct/Nov/Dec) and doing basic code maintenance to make sure we continue to move forward. Seeing as I've been so busy, there are a few things that I'd like to address that I've let slide lately. 1) Snort.org relocation Most of you noticed that snort.org was moved to the Sourcefire network simultaneously with the release of version 1.8.1 of Snort. Before I go any further with this point, I'd just like to say that Jim Forster and the guys at Rapidnet and Genocide2600 have been and continue to be fantistic people and they were completely helpful to me at every turn throughout the entire stay of snort.org on their network. They donated hosting, bandwidth and site development to the project and asked for nothing in return, which was completely wonderful (especially since I couldn't afford to do anything like that at the time). I finally decided to relocate the site to a machine at Sourcefire for a few reasons: a) I wanted to move the snort.org server from Windows to an OpenBSD installation and the volunteer, completely free labor and support that I was getting from the guys at Genocide2600 and Rapidnet wasn't getting me there as fast as I had hoped. I'm impatient. b) I wanted to have more direct control over the snort.org domain so that I could do other things like setup snort.org email (which is operational now), ftp, www and anything else that came to mind. I'm a control freak. c) I have a T1 and a spare server to use, so I figured it'd be entertaining to have a "big" website to play with. I'm a geek. Anyway for those of you that were wondering, that's why I moved the site. 2) Whitehats Whitehats has been down for something approaching 3 weeks now. I don't know what's going on with the site and I've been unable to contact Kimmi Winters, Max's wife. Max is currently unavailable and won't be available any time soon (read: months to over a year), so I'm tending to think that we may have seen the last of the Whitehats site and arachNIDS for the forseeable future. That said, we're (Brian Caswell, Andrew Baker, Chris Green, Dragos Ruiu and myself) working on something that we hope will take the lessons learned from arachNIDS and allow us to put forward a new rules database that will deliver the information you need to understand Snort's output and make the best use of the system, while centralizing rules development at snort.org and making the site a "1-stop-shop" for all snort information. 3) Development I'm going to introduce the 1.8.2-beta cycle in a few days. This will have some generic bug fixing for the 1.8.1 code + some improvements and tweaks like an improved spo_unified, packet cache flushes on alerted tracked streams for stream4, etc. The only really big thing that's holding up 1.8.2 right now is that pesky crash in stream4:PruneSessionCache(), I'm hoping to have a solution for that one RSN. We will also be releasing Barnyard in the upcoming release (in the contrib directory) and starting to encourage people to move to that program for "production" use of Snort as a sensor technology. I've gone over the reasons for using Barnyard in the past, but the basic idea is that for high performance usage, we really need to break out relatively slow output systems (ASCII, DB, XML, etc) from the main Snort process and into something that can run with much less stringent performance requirements. Once 1.8.2 comes out, we're going to branch for 1.9. Version 1.9 will be an interim release with a code reorganization in preparation for the 2.0 development effort. We're going to shift things around mightily and modularize and segment the code much more effectively than we're currently doing. I'm figuring that 1.9 will be a fairly quick release after 1.8.2, it might even be a "developer only" release in that there won't be any new functionality, just a bunch of reorg. After the 1.9 reorg, we'll start 2.0 development in earnest. There are a lot of new concepts and a lot of new code that's going to go into Snort 2.0, so this is when the development will get really exciting again. 4) Hardware/OS recommendations Ok, here are the guidelines and some parameters. Intrusion detection is turning into one of the most high performance production computing fields that is in wide deployment today. If you think about the requirements of a NIDS sensor and the constraints that they are required to operate within, you'll probably start to realize that it's not too hard to find the performance wall with a NIDS these days. The things a NIDS needs are: MIPS (Fast CPU) RAM (More is *always* better) I/O (Wide, fast busses and high performance NIC) AODS (Acres Of Disk Space) A NIDS also needs to be pretty quick internally at doing its job. Snort's seen better days in that regard (when 1.5 came out the architecture was a lot cleaner) but it's still considered to be one of the performance leaders available. As for OS selection, use what you like. When we implement Data Acquisition Plugin's in Snort 2.0 this may become more of a factor, but for now I'm hearing about a lot of people seeing alot of success using Snort on Solaris, Linux, *BSD and Windows 2000. Personally, I develop Snort on FreeBSD and Sourcefire uses OpenBSD for our sensor appliance OS, but I've been hearing some good things about the RedHat Turbo Packet interface (which would require mods for Snort to use, not to mention my general objection to RedHat's breaking stuff all the time). Anyway, that's the scoop from me. I'm contemplating becoming more active around here in the next few days to start, uh, leading (or something like that, cat herding?) the project a little more visibly and being more helpful around here. -Marty -- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Wayne <http://wwork () cybergnostic com/>wwork@cybergnostic.<http://wwork () cybergnostic com/>com
Current thread:
- Snort project update Martin Roesch (Oct 02)
- Re: Snort project update Wayne T Work (Oct 02)
- Re: Snort project update Michael Boman (Oct 03)