CheckPoint Acquires Snort

bobdehnhardt writes "The Snort-announce list was burning with the news that CheckPoint has signed an agreement to acquire Sourcefire, the commercial arm of the Snort community. As part of the agreement, CheckPoint will "continue to develop and distribute Snort under the GPL, improve and document the program to stay on the cutting edge and expand the snort.org web site." Here is a message from Snort creator Marty Roesch."

SnortFIRST

best.Tool.Ever.

Hope this does not compromise the GPL nature of this fantasitic project.

" Here is a message from Snort creator Marty Roesc

" Here is a message from Snort creator Marty Roesch."

I'm rich I'm rich I'm filthy f*ckin rich!

while snort is a fine piece of software ...

I think its usefulness is very limited.

It is nice to know I am protecting/monitoring my LAN from KNOWN attacks,
is does very little to stop a determined attacker who can write
their own shellcode and exploits.

Which, if you hop on IRC now days, represents quite a few attackers.
The people we made fun of long ago have aquired the skills to get around
snort rather easily.

So, rest at night, thinking you have protected your lan, while in reality
you have not.

Re:while snort is a fine piece of software ...

It's worth mentioning that it's possible to trigger on known attack VECTORS rather than just known attacks - that is, on some vulnerabilities, all possible attacks will have a single signature at some point in the packet, which WILL be triggered. Moreover, some PROTOCOLS will always have the same signature, which may be hit as byproducts of the attack (ie: if I see an IRC packet coming from a webserver, I'm going to alert no matter what port it's on, or where it's going, because it shouldn't be there, period).

Snort can be bypassed in many scenarios, but it's still very useful.

Re:while snort is a fine piece of software ...

Plus you might find that a shellcode exploit requires a shellcode sled, which can be detected. And many of the people who use Snort might not know that Sourcefire has made a major innovation with RNA -- a passive traffic analysis system which tells you what hosts are in your LAN, and what ports are being used -- kind of like NTOP, but with better consolidation and reporting.

You also need a benchmark of legit activity.

Everything happening on your network should be authorized by you. If you're worried about security, then you need to get some benchmarks of the legitimate traffic on your network so you can have the system watch for different patterns.

Loopholes

Even with such language, does that stop them from forking the sources and creating a new closed source program with a new name?

Re:Loopholes

No, it doesn't. The owner of the copyright can stop releasing new versions under the GPL. Any code already licensed under the GPL would remain so, but nothing stops them from making all new versions closed, or something in between.

Re:Loopholes

Unless they accepted patches from a third party not directly involved in the project , They would need to track down each and every person that had (and acquire their blessing) or each and every code snippet and remove it .
This is the same problem which faces the linux Kernel if they wished to move it to the GPL3

More info from Checkpoint

Here is some more info from checkpoint including a FAQ.
http://www.checkpoint.com/sourcefire/ [checkpoint.com]

I use both firewall-1 and sourcefire currently. The one thing I hope they /don't/ do is merge the two support teams. Sourcefire's support is decent, but checkpoints is down right awful.

Checkpoint and Linux

Checkpoint are not known for being too interested in providing versions of their software for Linux. Lack of a current Linux checkpoint vpn client is all that's keeping me running a (gack) Windows machine in my home..

Soooo.... is Checkpoint Snort going to go Windows-only??

Then again, maybe this heralds a new era of cooperation between Checkpoint and the non-Windows world.

makes sense

"We believe Sourcefire has world-class solutions for internal security through their Intrusion Sensor, Real-time Network Awareness (RNA), and Defense Center product lines.

Checkpoint needs this type of network awareness technology to keep up with Cisco
I know they lost my company's contract because the network admins like the way Cisco stuff integrates

I'll start by stating again what I've stated in the past, Snort is now and will continue to be free to end-users. We will continue to develop and distribute the Snort engine under the GPL, improve and document the program to stay on the cutting edge and expand the snort.org web site. The community continues, as always, to be important to us as a group of people who use the code pervasively throughout the entire Internet, report on problems and make suggestions and contributions to the project.

This is critical to me for many reason. It's good to see. Marty is a man of integrity & I'll bet this is in the aquisition contract

Check Point to acquire privately held Sourcefire for a total consideration of approximately $225 million.

Who says you can't make money from FOSS?
Marty deserves the fiduciary rewards he'll get for all his hard work over the years

Snort.org

Wow, it's been a while since I've been to the Snort website. It got very corporatey professional looking.

Snort... hrmm

So CheckPoint is Snorting now is it... Do the cops now, have the DEA been called in to raid their offices.

Oh no!

Does that mean my father will have to pay for permission when he chuckles?

no big deal

This is no big deal. Snort will continue to be GPL and freely available to the world.

I'm more worried about the recent Nessus changes, have you heard about this?
Nessus License Change Announcement [nessus.org]

Nessus 2 will continue to be free
Nessus 3 will be a free of charge, binary only release

My friend was acquired by a Checkpoint

when he tried to cross the border with snort.

in other news...

checkpoint has had yet another security breach. this time, instead of all of their background records being released onto the internet, the source code of their newly acquired security tool, "snort" was released onto the internet. many have already downloaded this and started using free of charge, not to mention modifying it as they see fit and redistributing it also free of charge. this is a truly embarassing second offense for the security company.

I acquire a snort...

... every time I get one of these damn sinus infections, but I don't put out a damn press release about it.

CheckPoint bought ZoneAlarm and screwed it up

I see nothing positive about Snort being acquired by CheckPoint.

CheckPoint bought Zone Labs a couple of years ago and Zone Alarm went from being a rock solid firewall to an absolute mess. There are so many problems with the new version of Zone Alarm that their forums are filled with complaints.

Maybe they did this...

...so that they can find out what's wrong with their shitty VPN software.

What happens with the rule set development?

I have snort running with BASE, for a nice NID management setup. Without the rules, not much will happen.
There are currently three levels of access to rules, as seen at http://www.snort.org/rules/ [snort.org]

1. Anyone can get the rule set that is released with the latest version.
2. People who pay the big bucks ($1,795/year) can get updated rule sets as soon as they are released.
3. A third level sits in the middle; where if you register with sourcefire you can get the updated rules five days after they are released to the premium members.

Martin, I am sure that "Check Point is very excited about continuing Sourcefire's involvement with the open source community!". I hope that doesn't mean that they are excited about getting fees for any and all rules from the open source community.

*ARGHH* headline!

'Checkpoint buys Snort' - 10/10 for an arresting headline, minus several billion for good thinking. Checkpoint has bought Sourcefire, not *Snort*. That's like saying OSDN have "bought Linux" because they happen to pay Linus.

Honestly, the "slashdot's going down hill" trolls have been making me roll my eyes pretty much as soon as I became a regular, but things like this really make me wonder :(

Kate Moss

Kate Moss unavailable for comment.

Here's my question

How much *significant* code has been contributed to Snort by people outside of SourceFire? I'm talking about things like Frag3, etc. - the underpinnings of Snort.

Snort was a good model for IDS

Problem is all the competitors have better tools out there [or in the works...] now for IDS. Believe me, it's just no one's buying.

The neat thing about snort is it's history and that I hope companies look at it as a model of S/W developement (i.e. FOSS). I wish they turn their rules language via an XML Schema.

Interesting triva to ask is where did snort originate? The feds come to mind ;).

[Funny] It's understandable why Marty had to sell! A big house and a brand new [huge] office building for the peeps (better than the last location) will suck the $$$ dry quickly.

This is Great day for Snort Users

I am very sure that Checkpoint would not remove Snort from GPL, and its a good news for all the snort fans out there.. with Checkpoints popularity and financial power they might be able to improvise the snort to be able to offer better Inline IPS features..
The main reason i am very enthusiastic is that there is not much competition in the IDS sphere, and checkpoint systems for one doesnt have a base in IDS hence with this acquisition i guess there will be good competition for Cisco , MCafee and TippingPoint.

just hope to get the best anyway...

Re:In other news

Who are these companies?

Note to non-technical people: either STFU or stay the f*** off of /. Frankly, if you don't know who CheckPoint is, half of the stuff here has to be over your head, anyway.

Can't we have some type of "technical abilities" test, so we can adjust a post's initial score, based on the result? Of course, we'd never see AC posts, but still - it's sad that someone had to use mod points on this.

Re:Letter Text

Interesting. Snort looks like a pretty cool tool. Anyone know more about it? How does it hold up against other intrusion detection packages?

Snort is the most widely used IDS in the world today. > 2,000,000 downloads. It beats every competitor, Cisco, ISS, McAfee, 3COM. Rated #1 by SC Magazine.. etc..etc..etc..

You just now heard of Snort???

What rock have you been under? If you like to keep up on network admin tools, then you are way behind. I first heard of Snort in 2001 or 2002. Snort runs on my IPCop firewall and scans for baddies trying to get in.

Hell, they are past version 2.4 and you are just NOW hearing about it? Holy crap!

Re:In other news

You got a big Mac at Fry's?

How's OSX? ;)