Thursday, March 03, 2005

New License for Snort Rules Announced, Not Yet Published

Yesterday Snort developer Marty Roesch announced that the license governing Snort rule usage will be changing. Marty said:

"Recently, we have become increasing aware of companies who are commercially redistributing rules written by the Sourcefire VRT without contributing to the considerable resources required to develop high quality rules in such a timely fashion.

In order to enable us to continue supporting the open source model and dedicate these various resources to ensuring users have access to the best possible detection capabilities, we will begin distributing new "Sourcefire VRT Certified Rules" under a new license that restricts commercial redistribution. For developers building open source applications using Snort rules or Snort end users in general, the change in the licensing policy has no effect. The changes in the license apply specifically to organizations that are commercially redistributing the rules for either a product or a service offering."

Marty has not yet published the new license itself, although he posted a follow-up message with additional notes. The new rules will be distributed starting 7 March under the new license.

These two messages appear to have been prompted by this post by Demarc. Demarc was known for its Puresecure interface to Snort, a version of which was available to the public under a convoluted license. Now they sell a Snort appliance called Sentaurus, which they bought from the now-defunct Silicon Defense company. In their message Demarc announced their new Snort community portal, where they claim to offer Demarc Certified Open Signatures. These rules are currently published without their copyright notices, as can be seen in this example. I gave Demarc notice that they need to provide proper copyright attribution.

The other center for Snort rule development is Bleeding Snort. Yesterday Matt Jonkman announced the following:

"I'm happy to be able to announce that Snort.org/Sourcefire and Bleeding Snort are now working together to build a single community that will be the premier source for Snort signatures, along with a more mature and still completely open signature and research group."

Marty must have decided to work with Bleeding Snort to prevent publication of poor rules, and perhaps provide a viable alternative to Demarc.

Speaking of Demarc, they also announced this:

"Our community portal will also become the new home for the SPADE statistical packet anomaly detection project and SnortSnarf, two projects originally managed by SiliconDefense and subsequently transferred to Demarc."

Demarc appears to be countering Simon Bile's SPADE resurrection, which he began in September 2004. Simon just published a new paper (.pdf) and presentation (.pdf) explaining SPADE.

Stay tuned for more details. I will look closely at the new Snort rules license when it is published.

No comments: