DHS, vendors unveil open source intrusion detection engine
The Open Information Security Foundation (OISF), a group funded by the U.S Department of Homeland Security (DHS) and several security vendors, this week released an open source engine built to detect and prevent network intrusions.
The somewhat oddly named Suricata 1.0 engine is touted as a replacement for the 12-year-old Snort open source technology that over the years has emerged as a sort of de facto standard for detecting and preventing intrusions.
Snort currently claims close to 300,000 registered users and over 4 million downloads. Nearly 100 vendors currently have added Snort to network security devices. Earlier this month Amazon announced that it has selected Snort to deliver IPS protection for its Web services customers.
OISF president Matt Jonkman said that Suricata is designed to address some limitations in the older Snort tool. For example, Suricata’s multi-threaded architecture can support high performance multi-core and multiprocesser systems, Jonkman said. Snort is designed for the single-processor systems that dominated the tech world when it was created.
The new engine also offers native IP reputation filtering capabilities that allow Suricata-based intrucion detection and intrusion prevention devices to flag traffic from known bad sources. In addition, Suricata supports an automated protocol detection capability that enables protocol-specific security rules to be applied to a network stream, regardless of the port from which the traffic originated from.
“[Intrusion detection technology] has been stagnant for the last five years,” Jonkman said. “There’s been no innovation because there is no commercial motivation,” for vendors to enhance it on their own, he said.
Security vendors in general have been unable or unwilling to spend the millions of dollars it takes to develop a new IDS engine from scratch, he said.
Martin Roesch, CTO of Sourcefire and the developer of Snort, disputed Jonkman’s claim that Suricata is superior to the older technology.
The OISF would “really, really like to displace Snort as the next big IDS engine out there,” Roesch said. “But if you look at [Suricata’s] detection model it is exactly the same as Snort’s,” he added.
Roesch also downplayed the significance of Suricata’s multithreaded architecture and claimed that its implementation would slow the detection engine rather than make it faster. He acknowledged that Suricata’s automated protocol detection capability is useful, but contended that other claimed benefits of the technology, such as IP filtering, are not available on Version 1.0 of the new engine.
Though Suricata has been developed at least partly with government funding, it is unlikely that it can be used in a classified computing environment because it doesn’t allow users the option of hiding the rules they are using for inspecting network traffic, he said. Snort, on the other hand, allows users this option, Roesch noted.
“OISF has wrapped Suricata in some cool computer science concepts,” Roesch said. “But they have not delivered on their vision. [Suricata] offers a subset of Snort functionality at a fraction of its performance.”
Intrusion detection and prevention systems are basically used to perform real-time analysis on network traffic for the purposes of detecting suspicious probes, intrusions and attacks. Such products are available from numerous vendors, including McAfee, Cisco and Snort-developer Sourcefire.
More than 25 developers from around the world worked on developing Suricata. In addition to DHS, several security vendors including Endace, NitroSecurity and Everis contributed funding for the effort.
The technology is currently available for immediate download under the Open Source GNU General Public License.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld.
Jaikumar Vijayan