Comment Re:It's not dead. (Score 2, Interesting) 127
I suspect in a lot of places where Snort is used, it's mostly just sitting there quietly generating thousands of mostly '(http_inspect) DOUBLE DECODING ATTACK' alerts and being completely ignored. It's easy enough to set it up, but out of the box it typically generates an awful lot of noise in the form of largely useless alerts, so it takes some configuring (and understanding of exactly what those alerts are) to get it to a point where it's really useful.
And yes, I reckon that the commercial aspect to Snort probably is a key factor in this argument. They push that quite heavily IMO with (e.g.) new rules only being available to subscribers and other users having to register and wait until they're 30 days old to download them.
I'm curious as to whether Suricata is any good, I might have to check it out. Also, meerkats.