The Case for Open Source IDS

It’s only in the last few years that open source software has been adopted by mainstream business, and for Snort, it’s been no different. Now however, Snort is one of the most popular intrusion detection systems in the world. The free version has been downloaded over 3 million times, there are some 100,000 registered users and over 80 companies embed the Snort engine in their own security products.

The key, according to John Pescatore, an analyst with market researcher Gartner, Inc., is that Sourcefire, the company that owns the Snort software, has done a good job of making sure it stays truly open source, instead of directing Snort’s development to its own advantage.“It’s been able to find its own balance in the market,” he said. “It really is a very credible, open source product.”

Snort was written in 1998 by Martin Roesch, then an engineer at telecom company GTE-I, to satisfy his own needs for a detailed analysis of network traffic. He started Sourcefire in 2001 as a way of providing the kinds of tools that would make Snort easier for users to deploy it.

Sourcefire makes money from Snort by utilizing commercial network management and analysis tools that take advantage of the data that the Snort engine spits out. But the Snort code itself is still in the hands of a broad, open community of developers managed by Sourcefire.

The community also develops the thousands of signatures produced in response to the many network attacks launched each year, the same signatures the Snort engine uses to detect intrusions.

Snort was originally developed to run on Linux but has since been ported to most major platforms including Windows, BSD Unix, Sun Microsystem’s Solaris and SunOS and Apple’s Mac OS X. It can be run in three modes: as a simple network packet sniffer, as a packet logger for such things as debugging network traffic and as a full-blown network IDS and intrusion protection system (IPS).