Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly

Snort Turns 10, Sourcefire Goes Virtual

IDS/IPS vendor joins the ranks of VMWare partners, gears up for commercial rollout of next-generation Snort

Sourcefire is about to hit a couple of major milestones. First, its popular open-source Snort intrustion detection and prevention platform will celebrate its tenth birthday next month by unveiling a revamped code base and a new look that does more than intrusion detection and prevention.

Second, Sourcefire went virtual today at VMWorld in Las Vegas, announcing that its RNA network behavior analysis, network access control (NAC), and vulnerability management platform can now handle security for both physical and VMware-based virtual machines. According to reports, Sourcefire is also planning to roll out a virtual appliance version of RNA.

“It’s survival… Any IDS/IPS or firewall company will be pushing to make a virtual appliance version of their solutions for reasons quite obvious at this point” given the emergence of virtual environments, says Christofer Hoff, chief security architect for Unisys. One big problem with virtual environments is the lack of visibility into these environments, especially when it comes to detecting security issues, he says.

Just what Sourcefire's virtualization strategy with RNA ultimately means to Snort and IDS/IPS technology is unclear. The company says it’s just the first step in its plans for securing virtual environments.

“In the long run, behavior-based systems will likely take the place of signature-based systems, so from that perspective, you could say that this [announcement] reflects a change in network-based monitoring,” says Eric Maiwald, vice president and service director of security and risk management strategies for the Burton Group. But Maiwald says he doesn’t see the RNA announcement as part of any major evolution in IDS/IPS.

Some big changes are afoot for Snort, though: The core system framework of Snort 3.0, which is out in beta and due for commercial release early next year, was recently renamed SnortSP (Snort Security Platform) because it encompasses more than IDS. “Snort is not just IDS/IPS anymore,” says Marty Roesch, founder and CTO of Sourcefire. “It’s for building arbitrary network security operations.”

Roesch says he rewrote Snort’s code base in 3.0 from the ground up, looking for ways to make it faster and more scalable. He also looked at some of the problems of attackers evading IPSs: “I wanted to minimize the evadability of the system… by incorporating data bout the network we’re protecting into the Snort process itself… Now we teach Snort what the network looks like so it can defend itself accordingly. My end goal is a self-tuning protection engine.”

IPS technology is still Sourcefire’s bread and butter, says Thomas Ptacek, principal with Matasano Security. “I think Sourcefire has been pretty disciplined. When CheckPoint IPO'd, they differentiated into all sorts of crazy stuff -- performance management, antivirus, a bunch of half-hearted IPS attempts. SourceFire has the IPS and RNA,” Ptacek says. “Since RNA is the part that isn't open-source and can't be licensed by competitors, it’s where most of the ‘innovation’ goes.”

Intrusion detection and prevention technology suffers from the same shortcomings as traditional antivirus -- its reliance on signature-based detection that doesn’t see the new threats, only the known ones. Even so, you can’t have prevention without detection, according to Unisys’s Hoff. “IPS is part of a whole security architecture,” he says.

Burton’s Maiwald says behavior-based monitoring will eventually overtake signature-based IDS/IPS. “The the new features [in Snort 3.0] help with the basic weakness of signature-based monitoring, but they do not change the overall problem. In order for a signature to be created, something bad must be seen or found. Not every type of bad event fits this model."

Sourcefire today also announced that it has joined VMware’s Technology Alliance Partnership (TAP) and VMsafe Partner programs, so it will be able to deploy VMware’s VMsafe API and get that visibility into virtual machine operations in order to detect and remove malware, for instance.

Meanwhile, Richard Park, virtualization product manager for Sourcefire, says there are cases of virtual machines running without any anti-virus or anti-spyware. “It has really been the Wild West out there” in virtual environments, Park says. “This is really just about traditional security. Making sure the actual machines are secure… and that policies aren’t being violated.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Burton Group
  • Matasano Security LLC
  • Sourcefire Inc. (Nasdaq: FIRE)
  • Unisys Corp. (NYSE: UIS)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How to Think Like a Hacker
    Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
    7 SMB Security Tips That Will Keep Your Company Safe
    Steve Zurier, Contributing Writer,  10/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-16
    A Local Privilege Escalation vulnerability exists in the GlobalProtect Agent for Windows 5.0.3 and earlier, and GlobalProtect Agent for Windows 4.1.12 and earlier, in which the auto-update feature can allow for modification of a GlobalProtect Agent MSI installer package on disk before installation.
    PUBLISHED: 2019-10-16
    A Local Privilege Escalation vulnerability exists in GlobalProtect Agent for Linux and Mac OS X version 5.0.4 and earlier and version 4.1.12 and earlier, that can allow non-root users to overwrite root files on the file system.
    PUBLISHED: 2019-10-16
    There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can clear the router's log file via act=clear&logtype=sysact to log_clear.php, which could be used to erase attack traces.
    PUBLISHED: 2019-10-16
    A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to execute code with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating as the re...
    PUBLISHED: 2019-10-16
    A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient...