Snort mailing list archives
Re: [Emerging-Sigs] VRT on Suricata
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 21 Jul 2010 16:21:29 -0400
Hey Matt, When you call Snort dead how is that not attacking it? Was that just Ellen Messmer editorializing or did you in fact say that? It was unclear in the article but when it was presented to me it was done in the context of you making that claim. The Computerworld article says that your stated aim is to replace Snort because it's old technology. Let's be clear, you initiated this discussion in public, we responded when the press started calling us and asking us for our thoughts. When these things happen we usually blog about it so that we can point to our blog posts instead of having to rehash the same arguments over and over and so that we have a central point of discussion. If the phone hadn't started ringing here there would be no blog posts and no reactions in the press. We didn't attack Suricata, we showed the data that we had and responded to criticisms vis a vis multithreading, performance, IPv6, etc. The editorializing that I provided regarding the necessity of reimplementing the Snort detection model at taxpayer expense when they already get it for free was, I think, justified. We know your engine doesn't perform anywhere near Snort's performance level at this time, maybe it will someday. We know that the multithreaded model you promote as the solution to performance problems is actually one of the prime culprits for your current performance issues. We know that you've implemented the Snort streaming model and detection model and that you detect attacks with the Snort rule language which therefore defines the semantics of detection that are available to you. We also know that you don't support the full Snort rules language or .SO rules which will hinder your users from protecting themselves against the worst of the threats that are out there today as well as making Suricata unsuitable for classified computing environments and impossible to work with for companies like Microsoft. We're happy to let you do your thing at OISF and eagerly await seeing actual innovation in your project that advances the state of the art for detection and performance just as we're happy to stand quietly by doing our own thing and pushing forward in our own way while you do so. If you wish to draw comparisons to Snort in the press then you invite us to respond. When you make baseless claims in the press (Snort 3.0 is discontinued, Snort can't do IPv6, lack of multithreading somehow makes it perform worse than Suricata, etc) you invite response and comparison to the data we have. If you don't want us to respond then you should ignore us and let your code stand on its own merits like Bro and Hank and Firestorm and the other open source NIDS projects out there. When you specifically state in public or private that you're gunning for Snort/Sourcefire that lets us know that we should take a look at what's being done so when the questions come our way from press or analysts or customers or the OSS community we have something fact-based to respond with. The concept of peaceful coexistence only works if both parties are honest about their intentions. You say you want it in public but your actions show that you have quite another thing in mind. Until we hear something to the contrary, we'll be operating on the principle that you're yet another competitor. If you want to just keep things technical we're happy to leave it at that and talk about technology. Marty On Wed, Jul 21, 2010 at 12:09 PM, Matt Jonkman <jonkman () jonkmans com> wrote:
We're not really here to challenge SourceFire. We've hoped to have a cooperative relationship all along, since we're both open-source projects. Marty's comments are concerning. We haven't attacked Snort, we give great credence to Snort as our collective roots. But we do have to continue to push forward. The press brought out the snort is dead thread as they always do, I only said we're not seeing major innovation in it, or any ids of late. That's why we were funded to make it happen. We may fail completely, but we're going to push things to the next step. An open source project attacking another isn't unusual, but I certainly never expected it here. And I never expected a sane person to say that multi-threading isn't a viable tactic to scale. Cisco commented in one of the articles that they're multi-threading and it's good for them, and that they think suricata is promising. I'm going to go with Cisco as having a more effective technical pedigree as they've got it working commercially. SF is trying in Snort 3, but hasn't called it stable. That doesn't mean it's not viable, just means their attempt didn't work. As we've been doing form the beginning, we offer the olive branch of cooperation to Sourcefire. We aren't looking to infringe on their sales of big boxes to big companies. We want to continue to push the art. If they prefer to just mud-sling then go for it, but we'll not be returning the crap. You can't throw it without getting it all over yourself. Matt On 7/21/10 11:54 AM, Paul Halliday wrote:On Wed, Jul 21, 2010 at 10:16 AM, evilghost () packetmail net <evilghost () packetmail net> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, not sure if anyone has had a chance to read the latest horseshit on the VRT blog but it seems SourceFire has elected to use the VRT blog as a way to sway those who might use Suricata. It's nice to see SourceFire attacking OISF, kind of reminds me when the snake-oil AV vendors spend time attacking each-other instead of actually doing something. The only thing that surprised me was this latest round of worthless horseshit came from Matt Olney; I had more respect for that guy. I never saw this coming, I thought Olney to be more of a realist and less of a SoureFire apologist. I guess everyone at some point has to defend the guy who signs their paycheck. Give it a read http://vrt-sourcefire.blogspot.com/2010/07/innovation-you-keep-using-that-word.html I may start a blog too, it looks like it could be really exciting. I'd have some great content to share too. Remember folks, the best way to have a good security community is to attack each-other's efforts. Things like "And we didn't even cost you a million dollars" is the best way to spur collaborative efforts. Today I've made it a point to write "VRT" on each piece of toilet paper before I use it. I had quite a bit to drink last night, I suspect I'm going to be writing "VRT" a lot today. - -evilghostPerhaps the blog entry should be challenged with numbers instead of words? If someone is on the fence this does very little to sway them. _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html-- ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] VRT on Suricata Matt Jonkman (Jul 21)
- Re: [Emerging-Sigs] VRT on Suricata Martin Roesch (Jul 21)
- Message not available
- Re: [Emerging-Sigs] [Snort-users] VRT on Suricata Jamie Riden (Jul 21)
- Re: [Emerging-Sigs] [Snort-users] VRT on Suricata waldo kitty (Jul 21)
- Message not available
- Re: [Emerging-Sigs] VRT on Suricata Matt Jonkman (Jul 22)
- Re: [Snort-sigs] [Emerging-Sigs] VRT on Suricata Crook, Parker (Jul 22)
- Re: [Snort-sigs] [Emerging-Sigs] VRT on Suricata Matthew Olney (Jul 22)
- Re: [Snort-sigs] [Emerging-Sigs] VRT on Suricata Al MailingList (Jul 22)
- Message not available
- Re: [Emerging-Sigs] [Snort-sigs] VRT on Suricata Matt Olney (Jul 22)
- Re: [Emerging-Sigs] VRT on Suricata Martin Roesch (Jul 21)