[Snort-sigs] [Snort-users] [Emerging-Sigs] VRT on Suricata

Martin Roesch roesch at ...435...
Wed Jul 21 16:21:29 EDT 2010

Hey Matt,

When you call Snort dead how is that not attacking it?  Was that just
Ellen Messmer editorializing or did you in fact say that?  It was
unclear in the article but when it was presented to me it was done in
the context of you making that claim.  The Computerworld article says
that your stated aim is to replace Snort because it's old technology.

Let's be clear, you initiated this discussion in public, we responded
when the press started calling us and asking us for our thoughts.
When these things happen we usually blog about it so that we can point
to our blog posts instead of having to rehash the same arguments over
and over and so that we have a central point of discussion.  If the
phone hadn't started ringing here there would be no blog posts and no
reactions in the press.  We didn't attack Suricata, we showed the data
that we had and responded to criticisms vis a vis multithreading,
performance, IPv6, etc.  The editorializing that I provided regarding
the necessity of reimplementing the Snort detection model at taxpayer
expense when they already get it for free was, I think, justified.

We know your engine doesn't perform anywhere near Snort's performance
level at this time, maybe it will someday.  We know that the
multithreaded model you promote as the solution to performance
problems is actually one of the prime culprits for your current
performance issues.  We know that you've implemented the Snort
streaming model and detection model and that you detect attacks with
the Snort rule language which therefore defines the semantics of
detection that are available to you.  We also know that you don't
support the full Snort rules language or .SO rules which will hinder
your users from protecting themselves against the worst of the threats
that are out there today as well as making Suricata unsuitable for
classified computing environments and impossible to work with for
companies like Microsoft.

We're happy to let you do your thing at OISF and eagerly await seeing
actual innovation in your project that advances the state of the art
for detection and performance just as we're happy to stand quietly by
doing our own thing and pushing forward in our own way while you do
so.  If you wish to draw comparisons to Snort in the press then you
invite us to respond.  When you make baseless claims in the press
(Snort 3.0 is discontinued, Snort can't do IPv6, lack of
multithreading somehow makes it perform worse than Suricata, etc) you
invite response and comparison to the data we have.  If you don't want
us to respond then you should ignore us and let your code stand on its
own merits like Bro and Hank and Firestorm and the other open source
NIDS projects out there.  When you specifically state in public or
private that you're gunning for Snort/Sourcefire that lets us know
that we should take a look at what's being done so when the questions
come our way from press or analysts or customers or the OSS community
we have something fact-based to respond with.

The concept of peaceful coexistence only works if both parties are
honest about their intentions.  You say you want it in public but your
actions show that you have quite another thing in mind.  Until we hear
something to the contrary, we'll be operating on the principle that
you're yet another competitor.  If you want to just keep things
technical we're happy to leave it at that and talk about technology.


On Wed, Jul 21, 2010 at 12:09 PM, Matt Jonkman <jonkman at ...829...> wrote:
> We're not really here to challenge SourceFire. We've hoped to have a
> cooperative relationship all along, since we're both open-source projects.
> Marty's comments are concerning. We haven't attacked Snort, we give
> great credence to Snort as our collective roots. But we do have to
> continue to push forward. The press brought out the snort is dead thread
> as they always do, I only said we're not seeing major innovation in it,
> or any ids of late. That's why we were funded to make it happen. We may
> fail completely, but we're going to push things to the next step.
> An open source project attacking another isn't unusual, but I certainly
> never expected it here. And I never expected a sane person to say that
> multi-threading isn't a viable tactic to scale. Cisco commented in one
> of the articles that they're multi-threading and it's good for them, and
> that they think suricata is promising. I'm going to go with Cisco as
> having a more effective technical pedigree as they've got it working
> commercially. SF is trying in Snort 3, but hasn't called it stable. That
> doesn't mean it's not viable, just means their attempt didn't work.
> As we've been doing form the beginning, we offer the olive branch of
> cooperation to Sourcefire. We aren't looking to infringe on their sales
> of big boxes to big companies. We want to continue to push the art.
> If they prefer to just mud-sling then go for it, but we'll not be
> returning the crap. You can't throw it without getting it all over
> yourself.
> Matt
> On 7/21/10 11:54 AM, Paul Halliday wrote:
>> On Wed, Jul 21, 2010 at 10:16 AM, evilghost at ...3397...
>> <evilghost at ...3397...> wrote:
>>> Hash: SHA1
>>> Hi, not sure if anyone has had a chance to read the latest horseshit on the VRT blog but it seems SourceFire has elected to use the VRT blog as a way to sway those who might use
>>> Suricata.  It's nice to see SourceFire attacking OISF, kind of reminds me when the snake-oil AV vendors spend time attacking each-other instead of actually doing something.
>>> The only thing that surprised me was this latest round of worthless horseshit came from Matt Olney; I had more respect for that guy.  I never saw this coming, I thought Olney to be
>>> more of a realist and less of a SoureFire apologist.  I guess everyone at some point has to defend the guy who signs their paycheck.
>>> Give it a read http://vrt-sourcefire.blogspot.com/2010/07/innovation-you-keep-using-that-word.html
>>> I may start a blog too, it looks like it could be really exciting.  I'd have some great content to share too.  Remember folks, the best way to have a good security community is to
>>> attack each-other's efforts.  Things like "And we didn't even cost you a million dollars" is the best way to spur collaborative efforts.
>>> Today I've made it a point to write "VRT" on each piece of toilet paper before I use it.  I had quite a bit to drink last night, I suspect I'm going to be writing "VRT" a lot today.
>>> - -evilghost
>> Perhaps the blog entry should be challenged with numbers instead of
>> words? If someone is on the fence this does very little to sway them.
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...3335...
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> --
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
> PGP: http://www.jonkmans.com/mattjonkman.asc
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

More information about the Snort-sigs mailing list