[Snort-users] Re: [Snort-devel] RFC: Forking Snort

Jed Haile jed at ...2168...
Wed Jul 3 13:31:31 EDT 2002

Responses inline...

On Tuesday 02 July 2002 12:50 am, you wrote:

> Unfortunately, the forces that have brought Snort this level of success
> are falling out of balance. With Marty at the helm of both a wildly
> successfully open source project and Sourcefire (a growing, soon to be
> 800 pound gorilla in the intrusion detection market) he is faced with
> answering to a board of directors on one hand and the security community
> on the other. These are opposing forces with dramatically different
> goals. It is simply not possible for a single person to serve both of
> these roles and act in the best interest of each.

You completely fail to provide any reasoning about how Sourcefire and the 
security community have dramaticly different goals. Or even more importantly 
how Marty's goals with Sourcefire stand to harm Snort. You fear this might be 
the case, but you have no proof.

One question: What interest could Sourcefire possibly have in irritating the 
many users of Snort? None. Sourcefire is hoping to win customers, not 
alienate people. I can assure you that every decision that Marty and the rest 
of the development team makes is done with *lots* of consideration about how 
that decision will effect the users.

I'm sure that Sourcefire's board and management are equally aware that 
keeping the Snort user community happy will be an important part of any 
future success. If Snort users decide that Sourcefire is a trustworthy 
company, then they might decide to spend some money with Sourcefire. 

> While the number of users of Snort is growing, the percentage of
> community contributed code is decreasing. The reasons for this are not
> immediately obvious. Although there is plenty of community interest in
> contributing code, these interests are aparently in conflict with the
> goals of Sourcefire. Thus, some contributions have had been subjected to
> stealth deletions, others have never been incorporated in the codebase
> or have been re-written by Sourcefire to be more accommodating toward
> their goals.

The rapid growth and acceptance of Snort over the past year tells me 
something right is being done with Snort, not something wrong. Sourcefire has 
been around for about a year. Perhaps Sourcefire allowing a number of people 
to concentrate on Snort full time is a benefit? It's not as if Sourcefire has 
been changing Snort and withholding the changes from others. It's not as if 
Marty has announced that all future versions of Snort will be under some 
other license. Instead Sourcefire has been paying for new Snort development, 
and Marty has stated many times that Snort will remain under the GPL.

I have recently had significant new code introduced into Snort, so I have 
direct evidence to indicate that Snort development is still open to 
developers at large who are willing to make a contribution.  Perhaps Snort 
isn't seeing lots of new contributions because most users need no new 
features, or are unable to contribute at this time.

Another thing I should point out, as one of the developers of hogwash, is 
that if you want to do your own thing with Snort, have at it. Marty and the 
rest of the Snort team have been fully supportive of the hogwash team's 
efforts. Hogwash is in many aspects a fork of Snort, it is also a project 
that I hope to one day see merged with Snort. Marty has expressed that he 
would like to see that also.

> The most successful of the contributed code has been subjected to
> consistent negative and inflammatory PR campaigns. Marty carries this
> out this by proclaiming to the community false and misleading statements
> such as --- "Many of the contributed plugins, Marty says, 'were
> bug-filled, crashy, and slowed things down.'"[1] This tactic began to
> manifest in an unhealthy way a little over a year ago, shortly after
> Sourcefire was getting started.

Maintaining code is tough work. Maintaining somebody elses code is even 
harder. Every bit of code that gets removed or added is a decision that is 
made by a number of people. It is irresponsible of you to state that removing 
buggy/unmaintained/slow code is an unhealthy attitude. Snort is good, fast, 
and stable because the development team makes the very difficult decision of 
what code to keep and what code to axe. No code was removed as a result of 
Marty making a lone decision. Just because you have not been active in recent 
development and maintenance of Snort doesn't imply that nobody else is 
involved either.

Furthermore, I do not see how removing code because it is buggy or slow is 
inflammatory. Unless the developer who submitted the code had his feelings 
hurt.  It is unreasonable to expect a performance oriented project where 
users demand extreme stability to blindly accept and keep any piece of code 
simply because somebody submitted it. It is also unreasonable to submit some 
code, get it accepted into wide use, and then walk away from it and expect 
somebody else to maintain it how you would have done it.

> One can only speculate the strategy of Sourcefire in the long run;
> however, it would be foolish to think the goals of Sourcefire do not
> include maximizing profits. I have plenty of respect for Marty and I
> believe he has the best of intentions; however, he is no longer the man
> with the final say at Sourcefire. The investors of Sourcefire now
> control the critical strategies and goals of the company. There will
> undoubtedly and understandably be pressure from Sourcefire investors to
> gain more control of Snort while creating barriers to entry and stifling
> the competition.

Speculate indeed...

Before you accuse Marty, or Sourcefire, of any such misbehavior in a public 
forum perhaps you should come up with some evidence. I have already given 
evidence on how Sourcefire is helping to advance Snort, and why it is 
apparent to me that it would be contrary to Sourcefire's interests to do 
anything to upset the huge crowd of Snort users. If I were a shareholder in 
Sourcefire, I would be extremely upset if anything was done to drive away the 
vast pool of potential customers that Snort users represent.

What you are engaging in here is little more than fear mongering. If we are 
going to question motives, what is your motive in doing that? 

> There are a vast number of Snort add ons and wrappers (both open source
> and proprietary) that lead me to believe Snort is on the track toward
> becoming something of an operating system of intrusion detection that
> forms a base for numerous applications and business to grow and
> flourish. I would like to see an environment of healthy competition in
> this market to benefit the consumer, security community, and provide the
> opportunity for independent developers and business to find some niche
> and profit from their work.

The simple fact that so many companies exist who are trying to profit in some 
way from Snort indicates to me that the environment is healthy.

> These are the reasons why I believe now is the time for the community to
> begin discussing forming a branch of Snort that is governed by a
> consortium that is not profit driven, but rather exists to support the
> best interests of the community and support healthy competition among
> all of the companies that are providing Snort based security solutions.

Perhaps Linus should give up control of the linux kernel to a consortium of 
IBM, RedHat, Mandrake, Caldera, etc. Perhaps GVR should give python up to a 
board of folks from ActiveState, MS, RedHat, and so forth. There are many 
open source projects with considerable financial activity going on about them 
that have the benevolent dictator model. Many have become extremely 

I believe that Snort still has more growing to do. I think that Snort 
development needs to remain extremely responsive to changing needs. I do not 
believe for a single moment that any "consortium" of people, most of whom are 
competitors, could ever hope to come to an agreement on anything. Much less 
making hard decisions on what code to keep/drop and what architectural 
changes to make. At that point Snort development will become a political 
process instead of an engineering process. Look at any standards process for 
ample evidence of how such a process is doomed to work. How will that benefit 
any of the Snort user base?

Each project has it's own culture. Part of the Snort project's culture is 
Marty's leadership style and his personality. Marty has given an unthinkable 
amount of time and energy to Snort. Many many people have benefitted from his 
work, and many others have been inspired to follow his lead and contibute 
their own time and effort. Marty has always been honest and has always taken 
his responsbilities to all Snort users extremely seriously. I also know that 
his greatest concern when he founded Sourcefire and when he pursued investors 
was that the Snort project and it's communtiy would continue to enjoy the 
same freedoms that we all enjoy from free software. 

The fact of the matter is there is more than one person with CVS access, 
there are people other than Marty who can review code, and insert it into the 
base distribution. There is a core team of developers, and all decision 
making by Snort is done by that team. Core developers come and go as they 
become active/inactive in the project.

> This is a sensitive topic, but I believe the time has come to surface
> it. I'd like to hear your opinion... Is now the right time to begin
> considering a fork or branch or Snort? What benefits or advantages would
> this create for end users, business that use Snort, business that
> provide products or services based on Snort, or the security community
> as a whole? If a consortium were formed for governing a new fork of
> Snort who or what businesses, organizations, or individuals should that
> involve?

In my opinion Snort has never been better. I cannot think of any way to 
better insure that Snort will remain what it is today, except to allow the 
existing process to continue. There is a process to how development is done, 
before you criticize the process you should learn how it is being done.

If you really feel like you can do better, then go off and do it. Fix the 
bugs, and try to find developers who have the time and skills. Write the 
docs, answer the emails, etc. Implement new functionality. Learn how to make 
the process work. Make your own reality. 

I find many of the statements you made to be either ungrounded, uninformed, 
incomplete or inaccurate. Many of them seem to be crafted to create 
controversy. That is entirely an unfair thing to do to Marty, and the rest of 
the developers, and does not do anything to help make Snort better. Please do 
not clutter things with unfounded speculation, accusations, and FUD.

Jed Haile

More information about the Snort-users mailing list