[Snort-users] re: Professionalism

Martin Roesch roesch at ...1935...
Sat Nov 17 16:55:02 EST 2001


It's always nice to go on the road for a few days because I can almost
always be sure that the [expletive deleted] will hit the fan in one way
or another when I'm travelling and can't respond in an effective manner.

I'll start off by posing a question: MS Excel has a functioning *flight
simulator* embedded into it as an easter egg, does anyone take it less
seriously as a business application because of that?

The vast majority of Snort was written by me between the hours of 10PM
and 3AM over the course of the past three years.  Up until recently,
I've done this in my spare time exlusively.  The contributers to the
project are almost exclusively volunteers, also giving their best in
their spare time.  Given all that, it's pretty amazing that this
software works at all without even mentioning that Snort is widely
considered to be one of the top intrusion detection technologies
available.  What's even more amazing is that when compared with the top
10 commercial NIDS available, Snort was bested only by 2 products from 
companies with market caps in excess of $1B, beating all the dedicated
security companies in the review (I'm talking about the Network
Computing review here, it's been linked in some of the other replies).

If you'll take a second and grep for the "top 7 words you can't say on
TV" in the source, you will see there are a number of not entirely
professional comments and messages contained within.  It's widely been
said that "the one language that all programmers know is profanity", and
there's no exception in Snort.  When I'm coding some up some tricky
concept or piece of code and it's not going well (or for whatever other
reason) I have been known to slip colorful language into comments or
error messages.  These things happen at 2AM, they're inevitable.

This code/system is free (and Free).  People who don't like the way the
code is written have a number of other NIDS options both free (Prelude,
Firestorm, Pakemon, Shoki, etc) and commercial, and also have the option
of running sed(1) to search and replace all the "crap"s and "fuck"s to
"doody"s and "darn"s.  Ditto with the classification system.  The entire
rule, classification and configuration default set that comes with Snort
is merely an example of suggested configurations and signatures so that
you can have something to work with when you *customize* Snort for your
site, especially in "professional" grade installations.  

I'll make no excuses for the people who maintain Snort along side with
me, we thought that the classification was funny and we put it in.  The
development and maintenance team for Snort gives away some of their best
ideas *for free* as a matter of principle, and in the words of Jack
Nicholson "I have neither the time nor the inclination to explain myself
to a man who rises and sleeps under the blanket of the very freedom that
I provide and then questions the manner in which I provide it."  That's
a little overheated, but you get the gist.

Some people may think that it's unprofessional, but I've had no
complaints from the US Government or military, major e-commerce sites,
gigantic banks, semiconductor manufacturers, telecommunications
carriers, network security companies and managed security services
providers (among others) that use and support Snort for their operations
or as services, and if it's good enough for them then I'm ok with it. 
Snort's acceptance doesn't suffer one iota as far as I'm concerned (and
if it actually reduces the support load from blue blood companies that
are more worried about appearances than substance, so much the better).  

The legitemacy and professionalism of Snort and the open source
development model is borne out by it's user base.  'Nuff said.


     -Marty


--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list