2007-06-20

Martin Roesch on Snort 3.0 and Sourcefire

Yesterday Sourcefire put on a two hour presentation at the EMP here in Seattle. With admission you got some swag including a calendar and a snort toy, admission to the Sci-Fi museum for the afternoon and an "ice cream social". Below are notes from the presentation, these are not my opinion. Overall I found the presentations pretty interesting with them covering the following topics:
  • Sourcefire & Snort; past, present & future
  • Demo of their RNA/ETM tools
  • Snort 3.0
  • Sourcefire 4.7
In particular, I wanted to hear Marty's thoughts on Snort 3.0 and where he is heading. Martin said that the 3.0 release would focus on the following areas:
  • Reduce Manual Tuning & Automate Configuration
    • "Tuning today is a failure"
      • We need dynamic defense for dynamic networks
  • Solve layer 3/4 evasion due to the IDS not being IP stack aware
    • Model the way an endpoint sees, model the IP stack
  • Normalize rules and configuration languages
    • Pro
      • Rules work well
      • Trivial to use for simple stuff
    • Con
      • Ugly
      • Hard to do hard things
      • A bad rule can significantly impact performance
    • Snort is not a language project
      • LUA will be snort 3.0's next generation language processor
      • Snort 3.0 will include a command shell that will allow LUA commands to be executed
  • Take better advantage of hardware
    • We are getting more cores, not speed. Snort is single threaded, this is a problem.
      • Must multi-thread snort
    • Vendors are accelerating the wrong parts of Snort and have been for years
      • Need explicit locations for optimization.
Martin asserts that tuning, prioritization and evasion are the same problem. The root of this problem is a lack of knowledge of what is being defended. The solution is to impart knowledge about the operating environment directly into the engine. This allows for the engine to tune itself, automate anti-evasion and automate prioritization. Above is the snort 3.0 architecture as described/shown by Martin. I think of primary interest is the rearchitecture and threading. I will be surprised if Martin is able to release RNA as open source and integrate that into Snort. If that doesn't happen, it either means that the automation features won't make it into Snort or they won't work nearly as well as RNA.

2 comments:

Mike said...

Hello,

We would like to do an interview with you about your blog for
www.BlogInterviewer.com . We'd like to give you the opportunity to
give us some insight on the "person behind the blog."

It would just take a few minutes of your time. The interview form can
be submitted online at http://bloginterviewer.com/submit-an-interview

Best regards,

Mike Thomas
BlogInterviewer.com

Erwin said...

pocong seo
kuntilanak seo
vampir seo
genderuwo seo
siluman seo
tuyul seo
jelangkung seo
drakula seo
dedemit seo