Sourcefire, best known for its Snort intrusion-prevention technology, Tuesday is unveiling a new open source project called Razorback that's designed to spot malware and especially zero-day exploits. "We want others to test it to see if our idea about this new protection framework is as innovative as we think it is," says Matt Watchinski, senior director on the Sourcefire vulnerability research team.

Sourcefire says Razorback is designed with a "defense routing system" that monitors for certain traffic types, such as HTTP, web or SMTP-based email, in order to forward mirrored data to any means of security analysis system that can be plugged into it. Security tools supporting Razorback could be either open source or proprietary.

Razorback monitoring could be integrated directly into security gateways as well as deployed on standalone servers. A typical place to put the main Razorback monitoring component would be directly behind an antivirus filtering point, according to Sourcefire, which also shepherds the open source Clam A/V toolkit. Razorback could also work with security information and event management products.

Razorback "knows the resources in the organisation that might have a specific interest in files, such as PDFs, for example," which could have malicious code embedded in them, Watchinski says. Razorback-monitored PDF files could be sent to a forensics tool that could analyse them for zero-day vulnerabilities or possible exploit code.

Razorback's "defense routing system" is not necessarily real time and it's not yet designed to directly block suspicious data.The underlying idea of the open source project is to set up multiple paths to simultaneously transmit any mirrored data of specific security concern onward to designated security points for analysis, output and feedback to Razorback. On a more advanced level, these third-party Razorback-supported tools, after security analysis, could in theory assist Razorback in recommendations to take protective blocking measures or update threat determinations.

Today, Razorback has been developed to work with open source Snort and Clam AV as well as other open source code, such as Postfix.

Sourcefire has no publicly stated intention as of yet to launch a commercial product based on Razorback. The company does say the defence sector is interested in development of the kind of defence-routing system that Razorback seeks to foster through open source.

Razorback will be licensed by Sourcefire under open source GPLv2 licence. In general, Sourcefire expects the code to be available for free to users and vendors, but if Razorback is modified with the intent to sell it as a commercial product, discussion about licensing fees can be expected.