[Snort-users] License change clarification
roesch at ...1935...
Wed Mar 2 20:20:20 EST 2005
I feel it is important to clarify a few issues regarding an email that
everyone received earlier today. In that note, there were certain
misrepresentations about an upcoming change in the way Snort rules will
be distributed that I would like to clarify.
First and foremost: Sourcefire has always been, and will always remain,
fully committed to the open source development model of Snort. We
remain true to the goals of the Snort project and have contributed
numerous enhancements to the technology and we will continue to do so.
For example, we just recently added a new portscan detector and a new
IP defragmenter that is utterly cutting edge in terms of its
capabilities to the project. In addition, the Sourcefire Vulnerability
Research Team has dedicated the time and expertise to cleaning up the
Snort ruleset, reducing false positives and providing enhanced
documentation for all rules. This commitment is not changing.
The changes in the way that Snort rules will be distributed revolve
around the licensing and distribution of new Sourcefire VRT rules. We
dedicate literally millions of dollars a year to staffing the VRT and
providing the necessary research feeds and testing equipment to ensure
Sourcefire customers and Snort users have the best possible threat
coverage. To give you some idea of the effort involved, every time a
rule is added to the official Snort rule set we run the entire rule set
through a regression test, over 6.8 *million* discrete tests are done
across up to 15 test machines to verify the integrity and validity of
the rule sets, a process that takes upwards of 4 hours. We also
develop custom proof of concept exploits in house against sometimes
sparse vulnerability announcements to be able to produce rules prior to
exploits becoming generally available in the wild so that our users are
prepared. Look at the rules that we developed to detect Sasser for one
example of the benefits that that has brought to the user community.
That's the level of dedication we have to the integrity and advancement
of Snort's rule set to ensure that Snort operates properly and
efficiently when new rules are released.
With these changes to Snort's rules licensing, Snort users will have
the ability to receive these rules in the same timely fashion as
Sourcefire customers for a nominal fee to help defray the numerous
expenses associated with this type of research and well within the
reach of all but the most modest of commercial entities. Additionally,
the rules language remains open and accessible to the user community,
you are free to continue to contribute to the Snort project as a
community member or use your own rules as you see fit.
Snort remains, and always will be, free. While we have tried to be
upfront with Snort Integrators about these changes and provide them as
much lead-time to prepare for the VRT Rules as possible, I'm am
disappointed, however, that some people have resorted to sending out
disinformation to this mailing list.
Finally, in light of the significant investment we make in research and
development, Sourcefire intends to take whatever steps are necessary to
enforce and protect our intellectual property. We have every reason
to believe that the Snort community will continue to abide by the terms
of the GPL and will continue to honor our copyrights on the rules.
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users