Sometime during this afternoon, the new Snort.org Web site was launched. It features a message from Marty that says "We will continue to dedicate our research, development and QA resources to ensuring that Snort remains the de facto standard in intrusion detection and prevention technology." I noticed the Snort.org Web page titles also use the same "de facto" language. While I more or less agree with the IDS aspect, I believe Marty and crew are being pushed by market forces to adopt the IPS stance. This is a shame, as we all know an "IPS" is a layer 7 firewall that inverts the access control best practice of "allow some, deny everything else." (In other words, an IPS performs a "deny some, allow everything else" function.) I absolutely detest the IPS label and wish access control devices were simply identified as such, and not confused with audit devices (e.g., IDSs).
The new site features a comprehensive FAQ that links to the VRT Certified Rules License Agreement. I encourage everyone to read the documents themselves, but here's my summary:
- If you absolutely must have the latest rules, as soon as Sourcefire's Vulnerability Research Team (VRT) develops them, you should subscribe. "Introductory pricing" is $195/month, $495/quarter, or $1795/year. You are not allowed to redistribute these rules outside of your organization.
- If you can afford to wait five days after a new rule is deployed, you should register. This is free, but again you cannot redistribute these rules outside of your organization.
- If you don't want to subscribe or register, you can remain anonymous and receive new rules with every new Snort point release. In other words, if/when Snort 2.4.0 or 3.0.0 arrives, you'll get a new batch of rules with it.
Where does this leave the companies with products like Lucid Security's ipANGEL or services like Versign's (previously Guardent's) managed intrusion detection, that use Snort as their IDS? Sourcefire calls these organizations Snort Integrators: "any company that distributes Snort or Snort rules in their commercial offerings. This includes vendors bundling Snort or Snort rules, MSSPs and SIMs." These companies will need to buy a Snort Integrator License. I have emailed the listed point of contact to find out more about this.
The last item I'd like to mention is the Snort rules themselves. There are now two "flavors:"
"Sourcefire VRT Certified Rules are the official rules of snort.org. Each rule has been rigorously tested against the same standards the VRT uses for Sourcefire customers. These rules are distributed under the new VRT Certified Rules License Agreement that restricts commercial redistribution."
"Community Rules [are] rules submitted by members of the open source community. While these rules are available 'as is,' the VRT performs basic tests to ensure that new rules will not break Snort. These rules are distributed under the GPL and are freely available to all open source Snort users."
It looks like Bleeding Snort will be the focal point for the new Community Rules, although this has not been confirmed.
Stay tuned for more commentary as I figure out how this is all working. I am meeting with Marty on Thursday at the Sourcefire HQ, so expect a good follow-up Thursday or Friday.