Serious accusations from two highly talented experts in intrusion detection leave the rest of us wondering just where IDS is headed. Matt Jonkman and Martin Roesch have been bickering. Jonkman's claims that IDS technology has been "stagnant for the last five years" prompted Roesch, the author of the venerable Snort, to fire back that Suricata is "a clone of Snort that performs worse at taxpayer's expense."
Unfortunately, the flame wars stirred pent up frustrations among the projects' leaders. SourceFire's Vulnerability Research Team (VRT) continued the debate through performance tests posted on its blog, contending that "Suricata's performance isn't just bad; it's hideously, unforgivably bad." The article goes on to state that Suricata's capabilities are inherently limited by its choice of the Snort rule language, and that despite a million dollars in development, the OISF has "failed, utterly, to deliver on their promises."
A rabid reader known as evilghost brought the article to the attention of the snort-sigs mailing list, revealing his plans to creatively combine toilet paper, VRT, and a night of heavy drinking. Jonkman eagerly weighed in that the OISF is "not really here to challenge SourceFire," and that it offers "the olive branch of cooperation." Jonkman also vehemently repudiated SourceFire's statements regarding the use of multi-threading, citing Cisco's successful implementation as proof of concept.
Roesch replied on the defensive, pointing to Jonkman as the initiator of the debate, and claiming that SourceFire "responded when the press started calling us and asking us for our thoughts." He points out a number of Suricata's commonalities with Snort and the limitations that come with it, then closes by suggesting that the "concept of peaceful coexistence only works if both parties are honest about their intentions."
Subscribers without evilghost's, err, "stomach for controversy" called for the debate to be continued offline, but Jonkman needed one more round. In an unprompted and long winded argument regarding the OISF's non-profit status and aggressive stance against commercialization, he says that "there isn't commercial advantage in building new engines alone. The money goes to management/forensics consoles, rules, and big fast boxes. The engine is an afterthought, and no one is interested in paying for one over another."
His closing question is a cliffhanger. "Does Sourcefire have any interest in cooperating or collaborating with the foundation?"
The response? "As requested by many, replied to privately."
The entire episode is a marked departure from a cooperative attitude in years past. In what was perhaps their earliest exchange on the same mailing list in January, 2002, Roesch answered a question from Jonkman about Snort's stream4 TCP stream module. "If you want to take a stab at implementing it, I'll take a look at what you come up with." Jonkman replied, "I appreciate getting the info straight from the horse's mouth."
Name calling since the beginning.
Find your next job with techworld jobs