Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly

Snort Turns 10, Sourcefire Goes Virtual

IDS/IPS vendor joins the ranks of VMWare partners, gears up for commercial rollout of next-generation Snort

Sourcefire is about to hit a couple of major milestones. First, its popular open-source Snort intrustion detection and prevention platform will celebrate its tenth birthday next month by unveiling a revamped code base and a new look that does more than intrusion detection and prevention.

Second, Sourcefire went virtual today at VMWorld in Las Vegas, announcing that its RNA network behavior analysis, network access control (NAC), and vulnerability management platform can now handle security for both physical and VMware-based virtual machines. According to reports, Sourcefire is also planning to roll out a virtual appliance version of RNA.

“It’s survival… Any IDS/IPS or firewall company will be pushing to make a virtual appliance version of their solutions for reasons quite obvious at this point” given the emergence of virtual environments, says Christofer Hoff, chief security architect for Unisys. One big problem with virtual environments is the lack of visibility into these environments, especially when it comes to detecting security issues, he says.

Just what Sourcefire's virtualization strategy with RNA ultimately means to Snort and IDS/IPS technology is unclear. The company says it’s just the first step in its plans for securing virtual environments.

“In the long run, behavior-based systems will likely take the place of signature-based systems, so from that perspective, you could say that this [announcement] reflects a change in network-based monitoring,” says Eric Maiwald, vice president and service director of security and risk management strategies for the Burton Group. But Maiwald says he doesn’t see the RNA announcement as part of any major evolution in IDS/IPS.

Some big changes are afoot for Snort, though: The core system framework of Snort 3.0, which is out in beta and due for commercial release early next year, was recently renamed SnortSP (Snort Security Platform) because it encompasses more than IDS. “Snort is not just IDS/IPS anymore,” says Marty Roesch, founder and CTO of Sourcefire. “It’s for building arbitrary network security operations.”

Roesch says he rewrote Snort’s code base in 3.0 from the ground up, looking for ways to make it faster and more scalable. He also looked at some of the problems of attackers evading IPSs: “I wanted to minimize the evadability of the system… by incorporating data bout the network we’re protecting into the Snort process itself… Now we teach Snort what the network looks like so it can defend itself accordingly. My end goal is a self-tuning protection engine.”

IPS technology is still Sourcefire’s bread and butter, says Thomas Ptacek, principal with Matasano Security. “I think Sourcefire has been pretty disciplined. When CheckPoint IPO'd, they differentiated into all sorts of crazy stuff -- performance management, antivirus, a bunch of half-hearted IPS attempts. SourceFire has the IPS and RNA,” Ptacek says. “Since RNA is the part that isn't open-source and can't be licensed by competitors, it’s where most of the ‘innovation’ goes.”

Intrusion detection and prevention technology suffers from the same shortcomings as traditional antivirus -- its reliance on signature-based detection that doesn’t see the new threats, only the known ones. Even so, you can’t have prevention without detection, according to Unisys’s Hoff. “IPS is part of a whole security architecture,” he says.

Burton’s Maiwald says behavior-based monitoring will eventually overtake signature-based IDS/IPS. “The the new features [in Snort 3.0] help with the basic weakness of signature-based monitoring, but they do not change the overall problem. In order for a signature to be created, something bad must be seen or found. Not every type of bad event fits this model."

Sourcefire today also announced that it has joined VMware’s Technology Alliance Partnership (TAP) and VMsafe Partner programs, so it will be able to deploy VMware’s VMsafe API and get that visibility into virtual machine operations in order to detect and remove malware, for instance.

Meanwhile, Richard Park, virtualization product manager for Sourcefire, says there are cases of virtual machines running without any anti-virus or anti-spyware. “It has really been the Wild West out there” in virtual environments, Park says. “This is really just about traditional security. Making sure the actual machines are secure… and that policies aren’t being violated.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Burton Group
  • Matasano Security LLC
  • Sourcefire Inc. (Nasdaq: FIRE)
  • Unisys Corp. (NYSE: UIS)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
    White Papers
    More White Papers
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/6/2020
    Ripple20 Threatens Increasingly Connected Medical Devices
    Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
    DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
    Dark Reading Staff 6/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-07
    MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
    PUBLISHED: 2020-07-07
    MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to bypass authentication mechanisms via unspecified vectors.
    PUBLISHED: 2020-07-07
    MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to read files on the system via unspecified vectors.
    PUBLISHED: 2020-07-07
    In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
    PUBLISHED: 2020-07-07
    In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...