[Snort-users] [Snort-sigs] [Emerging-Sigs] VRT on Suricata

Al MailingList alpal.mailinglist at ...11827...
Thu Jul 22 15:12:10 EDT 2010


Awwww, it was just getting good :)

Al


On Thu, Jul 22, 2010 at 5:28 PM, Matthew Olney <molney at ...1935...> wrote:
> As requested by many, replied to privately.
>
> Matt Olney (Author of emotional blog post)
>
> -----Original Message-----
> From: Matt Jonkman [mailto:jonkman at ...4024...]
> Sent: Thursday, July 22, 2010 11:56 AM
> To: Martin Roesch
> Cc: snort-sigs at lists.sourceforge.net; Emerging-sigs at ...14333...;
> snort-users at lists.sourceforge.net
> Subject: Re: [Snort-sigs] [Snort-users] [Emerging-Sigs] VRT on Suricata
>
> On 7/21/10 4:21 PM, Martin Roesch wrote:
>> When you call Snort dead how is that not attacking it?  Was that just
>> Ellen Messmer editorializing or did you in fact say that?  It was
>> unclear in the article but when it was presented to me it was done in
>> the context of you making that claim.  The Computerworld article says
>> that your stated aim is to replace Snort because it's old technology.
>
> No, I did not say Snort is dead. I make a living on it just like you do.
> Reporters can start a fight between two nuns, as long as the nuns can't hear
> what each actually says about the other. I'm disappointed you took the bait.
> I'd recommend you know the reporter's motivation, and verify what they imply
> before you lash out.
>
> I won't even bother responding to the imaginary performance stats, or
> calling us a waste of taxpayer money, etc etc. Those are infantile tactics,
> and responding is even less mature. I expected better from the CTO of a
> multi-million dollar company, frankly. I think it best if I ignore that blog
> post and your related comments as they were emotional reactions and may have
> been made based on an intentionally skewed understanding of the situation.
> If you really feel those are the things you ought to be saying as a
> representative of Sourcefire then please correct me.
>
> The OISF would very much like to cooperate with you and Sourcefire, and the
> Snort developers, as we've been saying for a couple years now in public and
> privately. It makes perfect sense to work together, and it's an open and
> safe environment to share and collaborate for mutual benefit.
>
> You cast dispersions on my and the foundation's intentions, so let me
> reiterate what we are here for and what we're doing. We made the foundation
> a 501c3 non-profit to achieve a VERY clear goal. Being a
> 501c3 legally prevents the foundation from commercializing the engine. I go
> to jail if we do so. And worse, the IRS is the entity that enforces our
> actions. Trust me, we will not be crossing that line.
>
> Deployment, use and commercialization is left to community members,
> consortium members, and supporters of the engine. ALL of them, not any one,
> and no one has to have anyone's permission to do so.
>
> If, and ONLY if, a company wants to make changes they cannot have
> re-released via the GPL (i.e plug into a proprietary backend, work on a
> secret hardware platform, etc. just like Snort) then they can obtain a
> commercial license for a VERY small fee (usually paid in development hours).
>
> The foundation cannot legally compete with Sourcefire, nor does it have any
> intentions of finding a way to do so. Sourcefire is perfectly entitled to
> use the engine in a commercial product, just like anyone else.
>
> Let me suggest that if you were to dedicate a small portion of your Snort
> development resources to collaborating on Suricata you may in the not too
> distant future end up with an engine that'll do what you intended to pull
> off in Snort 3, and you'll do so while only bearing a small fraction of the
> development load. That's the whole idea here, collaborate in a safe
> environment, do something good for everyone.
>
> There isn't commercial advantage in building new engines alone. The money
> goes to management/forensics consoles, rules, and big fast boxes.
> The engine is an after thought, and no one is interested in paying for one
> over another. That's why this works, vendors and the community can share
> resources to build the base platform then compete around it.
>
> So, you imply you'll cooperate if we lay out our intentions. They've been
> clear from the start, and we are legally bound to do things this way. Do you
> have any questions or doubts about what we're doing here?
>
> Does Sourcefire have any interest in cooperating or collaborating with the
> foundation?
>
> Matt
>
>>
>> Let's be clear, you initiated this discussion in public, we responded
>> when the press started calling us and asking us for our thoughts.
>> When these things happen we usually blog about it so that we can point
>> to our blog posts instead of having to rehash the same arguments over
>> and over and so that we have a central point of discussion.  If the
>> phone hadn't started ringing here there would be no blog posts and no
>> reactions in the press.  We didn't attack Suricata, we showed the data
>> that we had and responded to criticisms vis a vis multithreading,
>> performance, IPv6, etc.  The editorializing that I provided regarding
>> the necessity of reimplementing the Snort detection model at taxpayer
>> expense when they already get it for free was, I think, justified.
>>
>> We know your engine doesn't perform anywhere near Snort's performance
>> level at this time, maybe it will someday.  We know that the
>> multithreaded model you promote as the solution to performance
>> problems is actually one of the prime culprits for your current
>> performance issues.  We know that you've implemented the Snort
>> streaming model and detection model and that you detect attacks with
>> the Snort rule language which therefore defines the semantics of
>> detection that are available to you.  We also know that you don't
>> support the full Snort rules language or .SO rules which will hinder
>> your users from protecting themselves against the worst of the threats
>> that are out there today as well as making Suricata unsuitable for
>> classified computing environments and impossible to work with for
>> companies like Microsoft.
>>
>> We're happy to let you do your thing at OISF and eagerly await seeing
>> actual innovation in your project that advances the state of the art
>> for detection and performance just as we're happy to stand quietly by
>> doing our own thing and pushing forward in our own way while you do
>> so.  If you wish to draw comparisons to Snort in the press then you
>> invite us to respond.  When you make baseless claims in the press
>> (Snort 3.0 is discontinued, Snort can't do IPv6, lack of
>> multithreading somehow makes it perform worse than Suricata, etc) you
>> invite response and comparison to the data we have.  If you don't want
>> us to respond then you should ignore us and let your code stand on its
>> own merits like Bro and Hank and Firestorm and the other open source
>> NIDS projects out there.  When you specifically state in public or
>> private that you're gunning for Snort/Sourcefire that lets us know
>> that we should take a look at what's being done so when the questions
>> come our way from press or analysts or customers or the OSS community
>> we have something fact-based to respond with.
>>
>> The concept of peaceful coexistence only works if both parties are
>> honest about their intentions.  You say you want it in public but your
>> actions show that you have quite another thing in mind.  Until we hear
>> something to the contrary, we'll be operating on the principle that
>> you're yet another competitor.  If you want to just keep things
>> technical we're happy to leave it at that and talk about technology.
>>
>>
>> Marty
>>
>>
>> On Wed, Jul 21, 2010 at 12:09 PM, Matt Jonkman <jonkman at ...4024...>
> wrote:
>>> We're not really here to challenge SourceFire. We've hoped to have a
>>> cooperative relationship all along, since we're both open-source
> projects.
>>>
>>> Marty's comments are concerning. We haven't attacked Snort, we give
>>> great credence to Snort as our collective roots. But we do have to
>>> continue to push forward. The press brought out the snort is dead
>>> thread as they always do, I only said we're not seeing major
>>> innovation in it, or any ids of late. That's why we were funded to
>>> make it happen. We may fail completely, but we're going to push things to
> the next step.
>>>
>>> An open source project attacking another isn't unusual, but I
>>> certainly never expected it here. And I never expected a sane person
>>> to say that multi-threading isn't a viable tactic to scale. Cisco
>>> commented in one of the articles that they're multi-threading and
>>> it's good for them, and that they think suricata is promising. I'm
>>> going to go with Cisco as having a more effective technical pedigree
>>> as they've got it working commercially. SF is trying in Snort 3, but
>>> hasn't called it stable. That doesn't mean it's not viable, just means
> their attempt didn't work.
>>>
>>> As we've been doing form the beginning, we offer the olive branch of
>>> cooperation to Sourcefire. We aren't looking to infringe on their
>>> sales of big boxes to big companies. We want to continue to push the art.
>>>
>>> If they prefer to just mud-sling then go for it, but we'll not be
>>> returning the crap. You can't throw it without getting it all over
>>> yourself.
>>>
>>> Matt
>>>
>>> On 7/21/10 11:54 AM, Paul Halliday wrote:
>>>> On Wed, Jul 21, 2010 at 10:16 AM, evilghost at ...14939...
>>>> <evilghost at ...14939...> wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Hi, not sure if anyone has had a chance to read the latest
>>>>> horseshit on the VRT blog but it seems SourceFire has elected to use
> the VRT blog as a way to sway those who might use Suricata.  It's nice to
> see SourceFire attacking OISF, kind of reminds me when the snake-oil AV
> vendors spend time attacking each-other instead of actually doing something.
>>>>>
>>>>> The only thing that surprised me was this latest round of worthless
>>>>> horseshit came from Matt Olney; I had more respect for that guy.  I
> never saw this coming, I thought Olney to be more of a realist and less of a
> SoureFire apologist.  I guess everyone at some point has to defend the guy
> who signs their paycheck.
>>>>>
>>>>> Give it a read
>>>>> http://vrt-sourcefire.blogspot.com/2010/07/innovation-you-keep-usin
>>>>> g-that-word.html
>>>>>
>>>>> I may start a blog too, it looks like it could be really exciting.
>>>>> I'd have some great content to share too.  Remember folks, the best way
> to have a good security community is to attack each-other's efforts.  Things
> like "And we didn't even cost you a million dollars" is the best way to spur
> collaborative efforts.
>>>>>
>>>>> Today I've made it a point to write "VRT" on each piece of toilet paper
> before I use it.  I had quite a bit to drink last night, I suspect I'm going
> to be writing "VRT" a lot today.
>>>>>
>>>>> - -evilghost
>>>>>
>>>>
>>>> Perhaps the blog entry should be challenged with numbers instead of
>>>> words? If someone is on the fence this does very little to sway them.
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at ...14333...
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs
>>>> and Lanyards
>>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwa
>>>> g.html
>>>
>>> --
>>>
>>> ----------------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Open Information Security Foundation (OISF) Phone 765-429-0398 Fax
>>> 312-264-0205 http://www.emergingthreats.net
>>> http://www.openinfosecfoundation.org
>>> ----------------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>> ---------------------------------------------------------------------
>>> --------- This SF.net email is sponsored by Sprint What will you do
>>> first with EVO, the first 4G phone?
>>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>
> --
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF) Phone 765-429-0398 Fax
> 312-264-0205 http://www.emergingthreats.net
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
> ----------------------------------------------------------------------------
> --
> This SF.net email is sponsored by Sprint What will you do first with EVO,
> the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list