[Snort-users] Snort project update

Wayne T Work wwork at ...3179...
Tue Oct 2 23:43:02 EDT 2001


Sound like your are moving forward very well and welcome back to RAT Race. 
Ya need to stop having so much fun at the SANS conferences. They will wear 
ya out but they are great for info, fun and meeting geeks like us.

I understand that you might be looking at building out appliance like 
sensors. Maybe even Sun boxes with the new 1U Netra. Nice little box. The 
Cobalt looks like a pretty snappy box too. The Cobalt server offer a great 
deal of Preconfiged Software stuff for snort. Linux on an Intel 
Architecture. BUT I still like the speed of the SPARC architecture and its 
inherent ability to used it's internal resources such as memory without 
gasping for air. Just MHO. I do a LOT of NT as well as Linux and Solaris 
thru 8.

Keep in touch.  Please send me ANY info on your future endeavors. I work 
for a MSP that has a great future in Security offerings.

Talley Hooooo!!!!!!!!

At 01:11 AM 10/3/2001 -0400, Martin Roesch wrote:
>Hi everyone,
>      As you've probably noticed, I've been nearly invisible lately due
>to a number of factors including my (now 2 month old) daughter,
>Sourcefire and all the things that go along with trying to start a
>company during a recession, presentations (3 SANS + BlackHat since July,
>3 more SANS in Oct/Nov/Dec) and doing basic code maintenance to make
>sure we continue to move forward.  Seeing as I've been so busy, there
>are a few things that I'd like to address that I've let slide lately.
>1) Snort.org relocation
>Most of you noticed that snort.org was moved to the Sourcefire network
>simultaneously with the release of version 1.8.1 of Snort.  Before I go
>any further with this point, I'd just like to say that Jim Forster and
>the guys at Rapidnet and Genocide2600 have been and continue to be
>fantistic people and they were completely helpful to me at every turn
>throughout the entire stay of snort.org on their network.  They donated
>hosting, bandwidth and site development to the project and asked for
>nothing in return, which was completely wonderful (especially since I
>couldn't afford to do anything like that at the time).  I finally
>decided to relocate the site to a machine at Sourcefire for a few
>a) I wanted to move the snort.org server from Windows to an OpenBSD
>installation and the volunteer, completely free labor and support that I
>was getting from the guys at Genocide2600 and Rapidnet wasn't getting me
>there as fast as I had hoped.  I'm impatient.
>b) I wanted to have more direct control over the snort.org domain so
>that I could do other things like setup snort.org email (which is
>operational now), ftp, www and anything else that came to mind.  I'm a
>control freak.
>c) I have a T1 and a spare server to use, so I figured it'd be
>entertaining to have a "big" website to play with.  I'm a geek.
>Anyway for those of you that were wondering, that's why I moved the
>2) Whitehats
>Whitehats has been down for something approaching 3 weeks now.  I don't
>know what's going on with the site and I've been unable to contact Kimmi
>Winters, Max's wife.  Max is currently unavailable and won't be
>available any time soon (read: months to over a year), so I'm tending to
>think that we may have seen the last of the Whitehats site and arachNIDS
>for the forseeable future.
>That said, we're (Brian Caswell, Andrew Baker, Chris Green, Dragos Ruiu
>and myself) working on something that we hope will take the lessons
>learned from arachNIDS and allow us to put forward a new rules database
>that will deliver the information you need to understand Snort's output
>and make the best use of the system, while centralizing rules
>development at snort.org and making the site a "1-stop-shop" for all
>snort information.
>3) Development
>I'm going to introduce the 1.8.2-beta cycle in a few days.  This will
>have some generic bug fixing for the 1.8.1 code + some improvements and
>tweaks like an improved spo_unified, packet cache flushes on alerted
>tracked streams for stream4, etc.  The only really big thing that's
>holding up 1.8.2 right now is that pesky crash in
>stream4:PruneSessionCache(), I'm hoping to have a solution for that one
>RSN.  We will also be releasing Barnyard in the upcoming release (in the
>contrib directory) and starting to encourage people to move to that
>program for "production" use of Snort as a sensor technology.  I've gone
>over the reasons for using Barnyard in the past, but the basic idea is
>that for high performance usage, we really need to break out relatively
>slow output systems (ASCII, DB, XML, etc) from the main Snort process
>and into something that can run with much less stringent performance
>Once 1.8.2 comes out, we're going to branch for 1.9.
>Version 1.9 will be an interim release with a code reorganization in
>preparation for the 2.0 development effort.  We're going to shift things
>around mightily and modularize and segment the code much more
>effectively than we're currently doing.  I'm figuring that 1.9 will be a
>fairly quick release after 1.8.2, it might even be a "developer only"
>release in that there won't be any new functionality, just a bunch of
>After the 1.9 reorg, we'll start 2.0 development in earnest.  There are
>a lot of new concepts and a lot of new code that's going to go into
>Snort 2.0, so this is when the development will get really exciting
>4) Hardware/OS recommendations
>Ok, here are the guidelines and some parameters.  Intrusion detection is
>turning into one of the most high performance production computing
>fields that is in wide deployment today.  If you think about the
>requirements of a NIDS sensor and the constraints that they are required
>to operate within, you'll probably start to realize that it's not too
>hard to find the performance wall with a NIDS these days.
>The things a NIDS needs are:
>MIPS (Fast CPU)
>RAM  (More is *always* better)
>I/O  (Wide, fast busses and high performance NIC)
>AODS (Acres Of Disk Space)
>A NIDS also needs to be pretty quick internally at doing its job.
>Snort's seen better days in that regard (when 1.5 came out the
>architecture was a lot cleaner) but it's still considered to be one of
>the performance leaders available.
>As for OS selection, use what you like.  When we implement Data
>Acquisition Plugin's in Snort 2.0 this may become more of a factor, but
>for now I'm hearing about a lot of people seeing alot of success using
>Snort on Solaris, Linux, *BSD and Windows 2000.  Personally, I develop
>Snort on FreeBSD and Sourcefire uses OpenBSD for our sensor appliance
>OS, but I've been hearing some good things about the RedHat Turbo Packet
>interface (which would require mods for Snort to use, not to mention my
>general objection to RedHat's breaking stuff all the time).
>Anyway, that's the scoop from me.  I'm contemplating becoming more
>active around here in the next few days to start, uh, leading (or
>something like that, cat herding?) the project a little more visibly and
>being more helpful around here.
>      -Marty
>Martin Roesch - President, Sourcefire Inc. - (410)552-6999
>roesch at ...1935... - http://www.sourcefire.com
>Snort: Open Source Network IDS - http://www.snort.org
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:


<http://wwork@...3179.../>wwork at ...3550...<http://wwork@...3179.../>com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011002/bd7ed5b8/attachment.html>

More information about the Snort-users mailing list