[Snort-sigs] [Snort-users] [Emerging-Sigs] VRT on Suricata

Matt Jonkman jonkman at ...829...
Thu Jul 22 11:56:10 EDT 2010

On 7/21/10 4:21 PM, Martin Roesch wrote:
> When you call Snort dead how is that not attacking it?  Was that just
> Ellen Messmer editorializing or did you in fact say that?  It was
> unclear in the article but when it was presented to me it was done in
> the context of you making that claim.  The Computerworld article says
> that your stated aim is to replace Snort because it's old technology.

No, I did not say Snort is dead. I make a living on it just like you do.
Reporters can start a fight between two nuns, as long as the nuns can't
hear what each actually says about the other. I'm disappointed you took
the bait. I'd recommend you know the reporter's motivation, and verify
what they imply before you lash out.

I won't even bother responding to the imaginary performance stats, or
calling us a waste of taxpayer money, etc etc. Those are infantile
tactics, and responding is even less mature. I expected better from the
CTO of a multi-million dollar company, frankly. I think it best if I
ignore that blog post and your related comments as they were emotional
reactions and may have been made based on an intentionally skewed
understanding of the situation. If you really feel those are the things
you ought to be saying as a representative of Sourcefire then please
correct me.

The OISF would very much like to cooperate with you and Sourcefire, and
the Snort developers, as we've been saying for a couple years now in
public and privately. It makes perfect sense to work together, and it's
an open and safe environment to share and collaborate for mutual benefit.

You cast dispersions on my and the foundation's intentions, so let me
reiterate what we are here for and what we're doing. We made the
foundation a 501c3 non-profit to achieve a VERY clear goal. Being a
501c3 legally prevents the foundation from commercializing the engine. I
go to jail if we do so. And worse, the IRS is the entity that enforces
our actions. Trust me, we will not be crossing that line.

Deployment, use and commercialization is left to community members,
consortium members, and supporters of the engine. ALL of them, not any
one, and no one has to have anyone's permission to do so.

If, and ONLY if, a company wants to make changes they cannot have
re-released via the GPL (i.e plug into a proprietary backend, work on a
secret hardware platform, etc. just like Snort) then they can obtain a
commercial license for a VERY small fee (usually paid in development

The foundation cannot legally compete with Sourcefire, nor does it have
any intentions of finding a way to do so. Sourcefire is perfectly
entitled to use the engine in a commercial product, just like anyone else.

Let me suggest that if you were to dedicate a small portion of your
Snort development resources to collaborating on Suricata you may in the
not too distant future end up with an engine that'll do what you
intended to pull off in Snort 3, and you'll do so while only bearing a
small fraction of the development load. That's the whole idea here,
collaborate in a safe environment, do something good for everyone.

There isn't commercial advantage in building new engines alone. The
money goes to management/forensics consoles, rules, and big fast boxes.
The engine is an after thought, and no one is interested in paying for
one over another. That's why this works, vendors and the community can
share resources to build the base platform then compete around it.

So, you imply you'll cooperate if we lay out our intentions. They've
been clear from the start, and we are legally bound to do things this
way. Do you have any questions or doubts about what we're doing here?

Does Sourcefire have any interest in cooperating or collaborating with
the foundation?


> Let's be clear, you initiated this discussion in public, we responded
> when the press started calling us and asking us for our thoughts.
> When these things happen we usually blog about it so that we can point
> to our blog posts instead of having to rehash the same arguments over
> and over and so that we have a central point of discussion.  If the
> phone hadn't started ringing here there would be no blog posts and no
> reactions in the press.  We didn't attack Suricata, we showed the data
> that we had and responded to criticisms vis a vis multithreading,
> performance, IPv6, etc.  The editorializing that I provided regarding
> the necessity of reimplementing the Snort detection model at taxpayer
> expense when they already get it for free was, I think, justified.
> We know your engine doesn't perform anywhere near Snort's performance
> level at this time, maybe it will someday.  We know that the
> multithreaded model you promote as the solution to performance
> problems is actually one of the prime culprits for your current
> performance issues.  We know that you've implemented the Snort
> streaming model and detection model and that you detect attacks with
> the Snort rule language which therefore defines the semantics of
> detection that are available to you.  We also know that you don't
> support the full Snort rules language or .SO rules which will hinder
> your users from protecting themselves against the worst of the threats
> that are out there today as well as making Suricata unsuitable for
> classified computing environments and impossible to work with for
> companies like Microsoft.
> We're happy to let you do your thing at OISF and eagerly await seeing
> actual innovation in your project that advances the state of the art
> for detection and performance just as we're happy to stand quietly by
> doing our own thing and pushing forward in our own way while you do
> so.  If you wish to draw comparisons to Snort in the press then you
> invite us to respond.  When you make baseless claims in the press
> (Snort 3.0 is discontinued, Snort can't do IPv6, lack of
> multithreading somehow makes it perform worse than Suricata, etc) you
> invite response and comparison to the data we have.  If you don't want
> us to respond then you should ignore us and let your code stand on its
> own merits like Bro and Hank and Firestorm and the other open source
> NIDS projects out there.  When you specifically state in public or
> private that you're gunning for Snort/Sourcefire that lets us know
> that we should take a look at what's being done so when the questions
> come our way from press or analysts or customers or the OSS community
> we have something fact-based to respond with.
> The concept of peaceful coexistence only works if both parties are
> honest about their intentions.  You say you want it in public but your
> actions show that you have quite another thing in mind.  Until we hear
> something to the contrary, we'll be operating on the principle that
> you're yet another competitor.  If you want to just keep things
> technical we're happy to leave it at that and talk about technology.
> Marty
> On Wed, Jul 21, 2010 at 12:09 PM, Matt Jonkman <jonkman at ...829...> wrote:
>> We're not really here to challenge SourceFire. We've hoped to have a
>> cooperative relationship all along, since we're both open-source projects.
>> Marty's comments are concerning. We haven't attacked Snort, we give
>> great credence to Snort as our collective roots. But we do have to
>> continue to push forward. The press brought out the snort is dead thread
>> as they always do, I only said we're not seeing major innovation in it,
>> or any ids of late. That's why we were funded to make it happen. We may
>> fail completely, but we're going to push things to the next step.
>> An open source project attacking another isn't unusual, but I certainly
>> never expected it here. And I never expected a sane person to say that
>> multi-threading isn't a viable tactic to scale. Cisco commented in one
>> of the articles that they're multi-threading and it's good for them, and
>> that they think suricata is promising. I'm going to go with Cisco as
>> having a more effective technical pedigree as they've got it working
>> commercially. SF is trying in Snort 3, but hasn't called it stable. That
>> doesn't mean it's not viable, just means their attempt didn't work.
>> As we've been doing form the beginning, we offer the olive branch of
>> cooperation to Sourcefire. We aren't looking to infringe on their sales
>> of big boxes to big companies. We want to continue to push the art.
>> If they prefer to just mud-sling then go for it, but we'll not be
>> returning the crap. You can't throw it without getting it all over
>> yourself.
>> Matt
>> On 7/21/10 11:54 AM, Paul Halliday wrote:
>>> On Wed, Jul 21, 2010 at 10:16 AM, evilghost at ...3397...
>>> <evilghost at ...3397...> wrote:
>>>> Hash: SHA1
>>>> Hi, not sure if anyone has had a chance to read the latest horseshit on the VRT blog but it seems SourceFire has elected to use the VRT blog as a way to sway those who might use
>>>> Suricata.  It's nice to see SourceFire attacking OISF, kind of reminds me when the snake-oil AV vendors spend time attacking each-other instead of actually doing something.
>>>> The only thing that surprised me was this latest round of worthless horseshit came from Matt Olney; I had more respect for that guy.  I never saw this coming, I thought Olney to be
>>>> more of a realist and less of a SoureFire apologist.  I guess everyone at some point has to defend the guy who signs their paycheck.
>>>> Give it a read http://vrt-sourcefire.blogspot.com/2010/07/innovation-you-keep-using-that-word.html
>>>> I may start a blog too, it looks like it could be really exciting.  I'd have some great content to share too.  Remember folks, the best way to have a good security community is to
>>>> attack each-other's efforts.  Things like "And we didn't even cost you a million dollars" is the best way to spur collaborative efforts.
>>>> Today I've made it a point to write "VRT" on each piece of toilet paper before I use it.  I had quite a bit to drink last night, I suspect I'm going to be writing "VRT" a lot today.
>>>> - -evilghost
>>> Perhaps the blog entry should be challenged with numbers instead of
>>> words? If someone is on the fence this does very little to sway them.
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at ...3335...
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>> --
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Open Information Security Foundation (OISF)
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Sprint
>> What will you do first with EVO, the first 4G phone?
>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users


Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Snort-sigs mailing list