[Snort-users] License change clarification

Martin Roesch roesch at ...1935...
Wed Mar 2 20:20:20 EST 2005

I feel it is important to clarify a few issues regarding an email that 
everyone received earlier today.  In that note, there were certain 
misrepresentations about an upcoming change in the way Snort rules will 
be distributed that I would like to clarify.

First and foremost: Sourcefire has always been, and will always remain, 
fully committed to the open source development model of Snort.  We 
remain true to the goals of the Snort project and have contributed 
numerous enhancements to the technology and we will continue to do so.  
For example, we just recently added a new portscan detector and a new 
IP defragmenter that is utterly cutting edge in terms of its 
capabilities to the project.  In addition, the Sourcefire Vulnerability 
Research Team has dedicated the time and expertise to cleaning up the 
Snort ruleset, reducing false positives and providing enhanced 
documentation for all rules.  This commitment is not changing.

The changes in the way that Snort rules will be distributed revolve 
around the licensing and distribution of new Sourcefire VRT rules.  We 
dedicate literally millions of dollars a year to staffing the VRT and 
providing the necessary research feeds and testing equipment to ensure 
Sourcefire customers and Snort users have the best possible threat 
coverage.  To give you some idea of the effort involved, every time a 
rule is added to the official Snort rule set we run the entire rule set 
through a regression test, over 6.8 *million* discrete tests are done 
across up to 15 test machines to verify the integrity and validity of 
the rule sets, a process that takes upwards of 4 hours.  We also 
develop custom proof of concept exploits in house against sometimes 
sparse vulnerability announcements to be able to produce rules prior to 
exploits becoming generally available in the wild so that our users are 
prepared.  Look at the rules that we developed to detect Sasser for one 
example of the benefits that that has brought to the user community.  
That's the level of dedication we have to the integrity and advancement 
of Snort's rule set to ensure that Snort operates properly and 
efficiently when new rules are released.

With these changes to Snort's rules licensing, Snort users will have 
the ability to receive these rules in the same timely fashion as 
Sourcefire customers ­ for a nominal fee to help defray the numerous 
expenses associated with this type of research and well within the 
reach of all but the most modest of commercial entities.  Additionally, 
the rules language remains open and accessible to the user community, 
you are free to continue to contribute to the Snort project as a 
community member or use your own rules as you see fit.

Snort remains, and always will be, free.  While we have tried to be 
upfront with Snort Integrators about these changes and provide them as 
much lead-time to prepare for the VRT Rules as possible, I'm am 
disappointed, however, that some people have resorted to sending out 
disinformation to this mailing list.

Finally, in light of the significant investment we make in research and 
development, Sourcefire intends to take whatever steps are necessary to 
enforce and protect our intellectual property.   We have every reason 
to believe that the Snort community will continue to abide by the terms 
of the GPL and will continue to honor our copyrights on the rules.


Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list