Recently Network World’s Ellen Messmer asked “Is open-source Snort dead?” With claims of a new and improved open-source IDS engine, OISF certainly hopes so. Or course Sourcefire, the keeper of Snort, vehemently disagrees.
While Open source projects are a great way to drive interest and innovation in almost any field, it will be interesting to see what unique developments come from the OISF project. It is interesting that such an effort would be focused on a market that is as mature as the IDS/IPS marketplace. Generally, such open source projects are focused on driving primary innovation in the field of focus. Based on their leadership and features in the initial release, it appears that they are focused on making a new and improved version of Snort. The state of the Network Threat Prevention industry has really moved beyond the assumptions that lead to early Snort success.
Today, effective network threat protection is dependent on having a fundamental understanding of the threat, not just pattern matching detection of packet captures. For example, looking at a packet capture will never tell you that the attack is designed to morph every 24 hours. To understand the threats, you have to have an in-depth understanding of the code that is generating the attack. That means the fundamental research effort moves from looking at packets to capturing and analyzing the behaviors of the executables that are generating the attack.
It also means that you have to understand the vulnerability landscape. Our customers enjoy the added confidence that comes when their network protection prevents exploits against both known and unknown vulnerabilities. Consider this: In 2009 McAfee protocol anomaly signatures covered Microsoft vulnerabilities an average of 7 days prior to vulnerability announcements. Vulnerability protection means that organizations can confidently wait until an appropriate change window to implement patches.
We at McAfee are certainly encouraged to see organizations like OISF joining the effort of pushing for innovation in the IDS/IPS technology, especially when said innovation has been the major contribution of McAfee to the security industry. It will be interesting to see if the open-source community can find a way to add real-time malware detection capabilities as well – yet another example of how our innovation has moved beyond just understanding and analyzing packets.