Snort mailing list archives

Re: [Snort-sigs] [Emerging-Sigs] VRT on Suricata

From: "Matthew Olney" <molney () sourcefire com>
Date: Thu, 22 Jul 2010 12:28:06 -0400

As requested by many, replied to privately.

Matt Olney (Author of emotional blog post)

-----Original Message-----
From: Matt Jonkman [mailto:jonkman () jonkmans com] 
Sent: Thursday, July 22, 2010 11:56 AM
To: Martin Roesch
Cc: snort-sigs () lists sourceforge net; Emerging-sigs () emergingthreats net;
snort-users () lists sourceforge net
Subject: Re: [Snort-sigs] [Snort-users] [Emerging-Sigs] VRT on Suricata

On 7/21/10 4:21 PM, Martin Roesch wrote:

When you call Snort dead how is that not attacking it?  Was that just 
Ellen Messmer editorializing or did you in fact say that?  It was 
unclear in the article but when it was presented to me it was done in 
the context of you making that claim.  The Computerworld article says 
that your stated aim is to replace Snort because it's old technology.


No, I did not say Snort is dead. I make a living on it just like you do.
Reporters can start a fight between two nuns, as long as the nuns can't hear
what each actually says about the other. I'm disappointed you took the bait.
I'd recommend you know the reporter's motivation, and verify what they imply
before you lash out.

I won't even bother responding to the imaginary performance stats, or
calling us a waste of taxpayer money, etc etc. Those are infantile tactics,
and responding is even less mature. I expected better from the CTO of a
multi-million dollar company, frankly. I think it best if I ignore that blog
post and your related comments as they were emotional reactions and may have
been made based on an intentionally skewed understanding of the situation.
If you really feel those are the things you ought to be saying as a
representative of Sourcefire then please correct me.

The OISF would very much like to cooperate with you and Sourcefire, and the
Snort developers, as we've been saying for a couple years now in public and
privately. It makes perfect sense to work together, and it's an open and
safe environment to share and collaborate for mutual benefit.

You cast dispersions on my and the foundation's intentions, so let me
reiterate what we are here for and what we're doing. We made the foundation
a 501c3 non-profit to achieve a VERY clear goal. Being a
501c3 legally prevents the foundation from commercializing the engine. I go
to jail if we do so. And worse, the IRS is the entity that enforces our
actions. Trust me, we will not be crossing that line.

Deployment, use and commercialization is left to community members,
consortium members, and supporters of the engine. ALL of them, not any one,
and no one has to have anyone's permission to do so.

If, and ONLY if, a company wants to make changes they cannot have
re-released via the GPL (i.e plug into a proprietary backend, work on a
secret hardware platform, etc. just like Snort) then they can obtain a
commercial license for a VERY small fee (usually paid in development hours).

The foundation cannot legally compete with Sourcefire, nor does it have any
intentions of finding a way to do so. Sourcefire is perfectly entitled to
use the engine in a commercial product, just like anyone else.

Let me suggest that if you were to dedicate a small portion of your Snort
development resources to collaborating on Suricata you may in the not too
distant future end up with an engine that'll do what you intended to pull
off in Snort 3, and you'll do so while only bearing a small fraction of the
development load. That's the whole idea here, collaborate in a safe
environment, do something good for everyone.

There isn't commercial advantage in building new engines alone. The money
goes to management/forensics consoles, rules, and big fast boxes.
The engine is an after thought, and no one is interested in paying for one
over another. That's why this works, vendors and the community can share
resources to build the base platform then compete around it.

So, you imply you'll cooperate if we lay out our intentions. They've been
clear from the start, and we are legally bound to do things this way. Do you
have any questions or doubts about what we're doing here?

Does Sourcefire have any interest in cooperating or collaborating with the
foundation?

Matt


Let's be clear, you initiated this discussion in public, we responded 
when the press started calling us and asking us for our thoughts.
When these things happen we usually blog about it so that we can point 
to our blog posts instead of having to rehash the same arguments over 
and over and so that we have a central point of discussion.  If the 
phone hadn't started ringing here there would be no blog posts and no 
reactions in the press.  We didn't attack Suricata, we showed the data 
that we had and responded to criticisms vis a vis multithreading, 
performance, IPv6, etc.  The editorializing that I provided regarding 
the necessity of reimplementing the Snort detection model at taxpayer 
expense when they already get it for free was, I think, justified.

We know your engine doesn't perform anywhere near Snort's performance 
level at this time, maybe it will someday.  We know that the 
multithreaded model you promote as the solution to performance 
problems is actually one of the prime culprits for your current 
performance issues.  We know that you've implemented the Snort 
streaming model and detection model and that you detect attacks with 
the Snort rule language which therefore defines the semantics of 
detection that are available to you.  We also know that you don't 
support the full Snort rules language or .SO rules which will hinder 
your users from protecting themselves against the worst of the threats 
that are out there today as well as making Suricata unsuitable for 
classified computing environments and impossible to work with for 
companies like Microsoft.

We're happy to let you do your thing at OISF and eagerly await seeing 
actual innovation in your project that advances the state of the art 
for detection and performance just as we're happy to stand quietly by 
doing our own thing and pushing forward in our own way while you do 
so.  If you wish to draw comparisons to Snort in the press then you 
invite us to respond.  When you make baseless claims in the press 
(Snort 3.0 is discontinued, Snort can't do IPv6, lack of 
multithreading somehow makes it perform worse than Suricata, etc) you 
invite response and comparison to the data we have.  If you don't want 
us to respond then you should ignore us and let your code stand on its 
own merits like Bro and Hank and Firestorm and the other open source 
NIDS projects out there.  When you specifically state in public or 
private that you're gunning for Snort/Sourcefire that lets us know 
that we should take a look at what's being done so when the questions 
come our way from press or analysts or customers or the OSS community 
we have something fact-based to respond with.

The concept of peaceful coexistence only works if both parties are 
honest about their intentions.  You say you want it in public but your 
actions show that you have quite another thing in mind.  Until we hear 
something to the contrary, we'll be operating on the principle that 
you're yet another competitor.  If you want to just keep things 
technical we're happy to leave it at that and talk about technology.


Marty


On Wed, Jul 21, 2010 at 12:09 PM, Matt Jonkman <jonkman () jonkmans com>

wrote:

We're not really here to challenge SourceFire. We've hoped to have a 
cooperative relationship all along, since we're both open-source

projects.


Marty's comments are concerning. We haven't attacked Snort, we give 
great credence to Snort as our collective roots. But we do have to 
continue to push forward. The press brought out the snort is dead 
thread as they always do, I only said we're not seeing major 
innovation in it, or any ids of late. That's why we were funded to 
make it happen. We may fail completely, but we're going to push things to

the next step.


An open source project attacking another isn't unusual, but I 
certainly never expected it here. And I never expected a sane person 
to say that multi-threading isn't a viable tactic to scale. Cisco 
commented in one of the articles that they're multi-threading and 
it's good for them, and that they think suricata is promising. I'm 
going to go with Cisco as having a more effective technical pedigree 
as they've got it working commercially. SF is trying in Snort 3, but 
hasn't called it stable. That doesn't mean it's not viable, just means

their attempt didn't work.


As we've been doing form the beginning, we offer the olive branch of 
cooperation to Sourcefire. We aren't looking to infringe on their 
sales of big boxes to big companies. We want to continue to push the art.

If they prefer to just mud-sling then go for it, but we'll not be 
returning the crap. You can't throw it without getting it all over 
yourself.

Matt

On 7/21/10 11:54 AM, Paul Halliday wrote:

On Wed, Jul 21, 2010 at 10:16 AM, evilghost () packetmail net 
<evilghost () packetmail net> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, not sure if anyone has had a chance to read the latest 
horseshit on the VRT blog but it seems SourceFire has elected to use

the VRT blog as a way to sway those who might use Suricata.  It's nice to
see SourceFire attacking OISF, kind of reminds me when the snake-oil AV
vendors spend time attacking each-other instead of actually doing something.


The only thing that surprised me was this latest round of worthless 
horseshit came from Matt Olney; I had more respect for that guy.  I

never saw this coming, I thought Olney to be more of a realist and less of a
SoureFire apologist.  I guess everyone at some point has to defend the guy
who signs their paycheck.


Give it a read 
http://vrt-sourcefire.blogspot.com/2010/07/innovation-you-keep-usin
g-that-word.html

I may start a blog too, it looks like it could be really exciting.  
I'd have some great content to share too.  Remember folks, the best way

to have a good security community is to attack each-other's efforts.  Things
like "And we didn't even cost you a million dollars" is the best way to spur
collaborative efforts.


Today I've made it a point to write "VRT" on each piece of toilet paper

before I use it.  I had quite a bit to drink last night, I suspect I'm going
to be writing "VRT" a lot today.


- -evilghost


Perhaps the blog entry should be challenged with numbers instead of 
words? If someone is on the fence this does very little to sway them.

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs 
and Lanyards 
http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwa
g.html


--

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 
312-264-0205 http://www.emergingthreats.net 
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

---------------------------------------------------------------------
--------- This SF.net email is sponsored by Sprint What will you do 
first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF) Phone 765-429-0398 Fax
312-264-0205 http://www.emergingthreats.net
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

----------------------------------------------------------------------------
--
This SF.net email is sponsored by Sprint What will you do first with EVO,
the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Emerging-Sigs] VRT on Suricata Matt Jonkman (Jul 21)
- Re: [Emerging-Sigs] VRT on Suricata Martin Roesch (Jul 21)
  - Message not available
    - Re: [Emerging-Sigs] [Snort-users] VRT on Suricata Jamie Riden (Jul 21)
    - Re: [Emerging-Sigs] [Snort-users] VRT on Suricata waldo kitty (Jul 21)
  - Re: [Emerging-Sigs] VRT on Suricata Matt Jonkman (Jul 22)
    - Re: [Snort-sigs] [Emerging-Sigs] VRT on Suricata Crook, Parker (Jul 22)
    - Re: [Snort-sigs] [Emerging-Sigs] VRT on Suricata Matthew Olney (Jul 22)
    - Re: [Snort-sigs] [Emerging-Sigs] VRT on Suricata Al MailingList (Jul 22)
    - Message not available
    - Re: [Emerging-Sigs] [Snort-sigs] VRT on Suricata Matt Olney (Jul 22)