[Snort-users] Snort project update

Martin Roesch roesch at ...1935...
Tue Oct 2 22:08:05 EDT 2001


Hi everyone,
     As you've probably noticed, I've been nearly invisible lately due
to a number of factors including my (now 2 month old) daughter,
Sourcefire and all the things that go along with trying to start a
company during a recession, presentations (3 SANS + BlackHat since July,
3 more SANS in Oct/Nov/Dec) and doing basic code maintenance to make
sure we continue to move forward.  Seeing as I've been so busy, there
are a few things that I'd like to address that I've let slide lately.

1) Snort.org relocation

Most of you noticed that snort.org was moved to the Sourcefire network
simultaneously with the release of version 1.8.1 of Snort.  Before I go
any further with this point, I'd just like to say that Jim Forster and
the guys at Rapidnet and Genocide2600 have been and continue to be
fantistic people and they were completely helpful to me at every turn
throughout the entire stay of snort.org on their network.  They donated
hosting, bandwidth and site development to the project and asked for
nothing in return, which was completely wonderful (especially since I
couldn't afford to do anything like that at the time).  I finally
decided to relocate the site to a machine at Sourcefire for a few
reasons:

a) I wanted to move the snort.org server from Windows to an OpenBSD
installation and the volunteer, completely free labor and support that I
was getting from the guys at Genocide2600 and Rapidnet wasn't getting me
there as fast as I had hoped.  I'm impatient. 

b) I wanted to have more direct control over the snort.org domain so
that I could do other things like setup snort.org email (which is
operational now), ftp, www and anything else that came to mind.  I'm a
control freak.

c) I have a T1 and a spare server to use, so I figured it'd be
entertaining to have a "big" website to play with.  I'm a geek.

Anyway for those of you that were wondering, that's why I moved the
site.


2) Whitehats

Whitehats has been down for something approaching 3 weeks now.  I don't
know what's going on with the site and I've been unable to contact Kimmi
Winters, Max's wife.  Max is currently unavailable and won't be
available any time soon (read: months to over a year), so I'm tending to
think that we may have seen the last of the Whitehats site and arachNIDS
for the forseeable future.  

That said, we're (Brian Caswell, Andrew Baker, Chris Green, Dragos Ruiu
and myself) working on something that we hope will take the lessons
learned from arachNIDS and allow us to put forward a new rules database
that will deliver the information you need to understand Snort's output
and make the best use of the system, while centralizing rules
development at snort.org and making the site a "1-stop-shop" for all
snort information.


3) Development

I'm going to introduce the 1.8.2-beta cycle in a few days.  This will
have some generic bug fixing for the 1.8.1 code + some improvements and
tweaks like an improved spo_unified, packet cache flushes on alerted
tracked streams for stream4, etc.  The only really big thing that's
holding up 1.8.2 right now is that pesky crash in
stream4:PruneSessionCache(), I'm hoping to have a solution for that one
RSN.  We will also be releasing Barnyard in the upcoming release (in the
contrib directory) and starting to encourage people to move to that
program for "production" use of Snort as a sensor technology.  I've gone
over the reasons for using Barnyard in the past, but the basic idea is
that for high performance usage, we really need to break out relatively
slow output systems (ASCII, DB, XML, etc) from the main Snort process
and into something that can run with much less stringent performance
requirements.

Once 1.8.2 comes out, we're going to branch for 1.9.  

Version 1.9 will be an interim release with a code reorganization in
preparation for the 2.0 development effort.  We're going to shift things
around mightily and modularize and segment the code much more
effectively than we're currently doing.  I'm figuring that 1.9 will be a
fairly quick release after 1.8.2, it might even be a "developer only"
release in that there won't be any new functionality, just a bunch of
reorg.

After the 1.9 reorg, we'll start 2.0 development in earnest.  There are
a lot of new concepts and a lot of new code that's going to go into
Snort 2.0, so this is when the development will get really exciting
again.


4) Hardware/OS recommendations

Ok, here are the guidelines and some parameters.  Intrusion detection is
turning into one of the most high performance production computing
fields that is in wide deployment today.  If you think about the
requirements of a NIDS sensor and the constraints that they are required
to operate within, you'll probably start to realize that it's not too
hard to find the performance wall with a NIDS these days.  

The things a NIDS needs are:

MIPS (Fast CPU)
RAM  (More is *always* better)
I/O  (Wide, fast busses and high performance NIC)
AODS (Acres Of Disk Space)

A NIDS also needs to be pretty quick internally at doing its job. 
Snort's seen better days in that regard (when 1.5 came out the
architecture was a lot cleaner) but it's still considered to be one of
the performance leaders available.

As for OS selection, use what you like.  When we implement Data
Acquisition Plugin's in Snort 2.0 this may become more of a factor, but
for now I'm hearing about a lot of people seeing alot of success using
Snort on Solaris, Linux, *BSD and Windows 2000.  Personally, I develop
Snort on FreeBSD and Sourcefire uses OpenBSD for our sensor appliance
OS, but I've been hearing some good things about the RedHat Turbo Packet
interface (which would require mods for Snort to use, not to mention my
general objection to RedHat's breaking stuff all the time).

Anyway, that's the scoop from me.  I'm contemplating becoming more
active around here in the next few days to start, uh, leading (or
something like that, cat herding?) the project a little more visibly and
being more helpful around here.  


     -Marty

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list