[Snort-users] Re: About to setup snort

Bamm Visscher bamm at ...539...
Sat May 22 09:42:04 EDT 2004

I suppose this warrants a response 'on list' even though I know you and Rich have communicated privately about your concerns with the name.

First off, please understand that I have a dry sense of humor and a tendency to be 'slightly' sarcastic. In truth, the ink is completely warn off my </sarcasm> key. With that in mind, here is the history of the name (WARNING: long version with useless information follows. If uninterested skip to the bottom and short version).

Sometime in 1999/2000 I started writing my own little interface to snort for my own home/personal use. I named it spreg (Snort Personal Realtime Event GUI). Soon after that I took a position to start a managed security monitoring service within an established company focused on the gov't who wanted to get into commercial business. I took spreg with me, improved up on it, and pretty soon Rich and I had what we felt was a nifty interface that followed our theories on Networks Security Monitoring (NSM) and worked extremely well in our organization. During this time, I became a regular in #snort. Often times we'd talk theory and I'd leak screen shots of spreg to give others an idea of what we were doing in our origanization. I would of liked to share the code at that time, but technically it was now owned by the company (I was developing it on its time) and it would of been a support nightmare (originally it was more proof of concept, and a look/feel template for our REAL developers to use as they wrote a more robust system for long term use). Then the market tanked. Soon after, said company decided that maybe commercial work wasn't so great and they needed to focus on their 'core competancy' (ie "you are all fired"). Lucky for me, one of our monitored 'customers' was our parent company. They liked what we provided them and they offered to transfer me to corporate to continue monitoring its network. I considered the guys in #snort friends and as I related the news, it again brought up the question of the spreg code. Could I know open source it? The quick answer was no. Ex-company bundled it with the long term project code, tried unsuccessfully to sell it, and shelved it. In the end, we (corporate) could continue to use it, but it wasn't 'ours'. Much discussion on #snort occurred and the question of re-writing it on 'my' time arose. My boss approved and off I went. The channel #snort-gui was created a few months later I was ready for some of the guys to test it out. It proved to be very alpha, but worthwhile project without a name. In order to understand the 'lamerz' part, you need to understand that a typicaly day in #snort when something like (my nick is 'qru' and by #snort-regular, I mean the contigent of snort users who spend a lot of time in #snort, contribute to the project, but aren't considered developers):

****Joins: USER1 has joined #snort
<USER1> I have a question, are there any developers here?
<#snort-regular> They are here, just idle. Ask your question, and maybe one of 
                 us can help
<USER1> Question
<#snort-regular> Answer
-[repeat 10x]-
****Joins: USER12 has joined #snort
<USER12> I have a question, are there any developers here?
<qru> No, just us lamerz. </sarcasm>

-[fast forward to next day]-
<qru> G'morning lamerz.
<#snort-regulars> heh.
-[repeat as needed]-

The gist of the "what do we name it" conversation went something like:

<qru> What do we call this thing?
<geek2> `echo http://www.thesaurus.com->pig`
<qru> ick
<scottder> How about <some word in some language that meant pig>
<qru> I've been calling it 'swine' as 'wine' makes me thing GUI and s == snort
<qru> But I really don't like it.
<geek2||tinsley> How about SGUI - Snort GUI
<qru> Hrm. Kinda like that but it doesn't have that 'snort' name to it 
      like barnyard, oinkmaster, etc.
-[much discussion]-
<qru> How about sguil. Has the GUI in the middle and we can pronounce it
      like 'sgweel' (the sound a pig makes).
<scottder> "Make your pig sgweel".
-[and there was much rejoicing]-
<qru> Okay, so what does the 'L' stand for?
<tinsley> lamerz ;)
<qru> Bwhahahahahaahahahhaah! Snort GUI for Lamerz, That's it!
<geek2> ditto
<scottder> ditto

So that is how we came up with the name. I registered the project on sourceforge and we continued development. Some time later, Rich in his infinite wisdom said, "You know, we might want to reconsider the 'lamerz' part. It's not very marketable." Of course, I originally scoffed at the idea. This was a project for analyst, by analyst. If someone didn't want to use it because of the name, then they obviously aren't worthy </wayne&garth> of using it. Time passes and Sguil starts to mature. Rich brings up the name again, this time admitting he's shown it to a couple of high profile security types, who liked it a lot but had bad reactions to the name. He was starting to write his book, wanted sguil to be a big part of it, but the 'lamerz' had him concerned. He also had an oppurtunity to publish an article in SysAdmin Magazine and really wanted us to drop the 'lamerz' as he didn't think it would be received well. In the end, we agreed that Rich was right (damn you Rich!!), and after much discussing of what we could change the 'L' to, it was decided that we would silently drop the mention of the 'lamerz' and just refer to it as 'sguil'.  What the 'l' meant would just be insider information from now on. Obviously I didn't do a very good job of cleanup (the screenshots in the homepage were old and still had the 'lamerz' in the titlebar. Doesn't really matter though, thanks to Google, lamerz will always be there). 

And that's the rest of the story. Please don't be decieved by the name. Sguil is activately developed by a group of professional individuals who use it in real environments. We are not out there to sell you some slick interface that accomplishes nothing. We believe in the process of NSM and are trying our best to spread the word. Rich has a kick ass book coming out in July (http://www.amazon.com/exec/obidos/ASIN/0321246772/102-7471674-6122508). If you buy into the theories he discusses there, then you'll understand better what we have started with sguil.

Almost forgot the short Version: Don't judge a book by its cover.



On Fri, May 21, 2004 at 11:48:48AM -0400, Shaun T. Erickson wrote:
> Richard Bejtlich wrote:
> >If you get frustrated with ACID, consider
> >Sguil (sguil.sourceforge.net).
> It looks interesting, but I can gaurantee you that I won't be running 
> anything that considers it's users to be "lamerz".
> 	-ste

More information about the Snort-users mailing list