[Snort-users] RFC: Forking Snort

Jed Pickel jed at ...153...
Tue Jul 2 00:00:58 EDT 2002

This document is intended to gauge the interest of the Snort community
in creating a fork of Snort that is governed by a consortium (similar to
Apache's "Apache Software Foundation") rather than a single profit
driven corporate entity. Below I will provide some background as to why
I am bringing this up. There are advantages and disadvantages to this
from nearly every perspective; thus, I encourage comments and discussion
of all opinions.

Snort has come to a critical point in its evolution. Due to the hard
work from numerous developers and thousands of users, Snort is now
monitoring many of the worlds most sensitive networks. Also, a growing
number of companies are offering commercial solutions based on Snort and
standardization efforts have leveraged Snort as a conduit toward
furthering security standards. As a result, the number of Snort users
continues to grow as it becomes more commercially accepted.

Few would disagree that Snort has successfully become a "killer app". 
The challenge Snort now faces is how to avoid becoming a victim of its
own success. Apache is an example of open source code that has
successfully bridged the gap from killer app to significant piece of
Internet Infrastructure. This success can be attributed to governing and
regulating Apaches growth through a consortium. I believe Snort could
benefit from the same type of arrangement.

Unfortunately, the forces that have brought Snort this level of success
are falling out of balance. With Marty at the helm of both a wildly
successfully open source project and Sourcefire (a growing, soon to be
800 pound gorilla in the intrusion detection market) he is faced with
answering to a board of directors on one hand and the security community
on the other. These are opposing forces with dramatically different
goals. It is simply not possible for a single person to serve both of
these roles and act in the best interest of each.

While the number of users of Snort is growing, the percentage of
community contributed code is decreasing. The reasons for this are not
immediately obvious. Although there is plenty of community interest in
contributing code, these interests are aparently in conflict with the
goals of Sourcefire. Thus, some contributions have had been subjected to
stealth deletions, others have never been incorporated in the codebase
or have been re-written by Sourcefire to be more accommodating toward
their goals.

The most successful of the contributed code has been subjected to
consistent negative and inflammatory PR campaigns. Marty carries this
out this by proclaiming to the community false and misleading statements
such as --- "Many of the contributed plugins, Marty says, 'were
bug-filled, crashy, and slowed things down.'"[1] This tactic began to
manifest in an unhealthy way a little over a year ago, shortly after
Sourcefire was getting started.

One can only speculate the strategy of Sourcefire in the long run;
however, it would be foolish to think the goals of Sourcefire do not
include maximizing profits. I have plenty of respect for Marty and I
believe he has the best of intentions; however, he is no longer the man
with the final say at Sourcefire. The investors of Sourcefire now
control the critical strategies and goals of the company. There will
undoubtedly and understandably be pressure from Sourcefire investors to
gain more control of Snort while creating barriers to entry and stifling
the competition.

There are a vast number of Snort add ons and wrappers (both open source
and proprietary) that lead me to believe Snort is on the track toward
becoming something of an operating system of intrusion detection that
forms a base for numerous applications and business to grow and
flourish. I would like to see an environment of healthy competition in
this market to benefit the consumer, security community, and provide the
opportunity for independent developers and business to find some niche
and profit from their work.

These are the reasons why I believe now is the time for the community to
begin discussing forming a branch of Snort that is governed by a
consortium that is not profit driven, but rather exists to support the
best interests of the community and support healthy competition among
all of the companies that are providing Snort based security solutions.

This is a sensitive topic, but I believe the time has come to surface
it. I'd like to hear your opinion... Is now the right time to begin
considering a fork or branch or Snort? What benefits or advantages would
this create for end users, business that use Snort, business that
provide products or services based on Snort, or the security community
as a whole? If a consortium were formed for governing a new fork of
Snort who or what businesses, organizations, or individuals should that

All comments, flames, and opinions are welcome. The sole intention of
this message is to initiate discussion.


* Jed

[1] http://newsforge.com/newsforge/02/06/29/2127239.shtml?tid=3

More information about the Snort-users mailing list