Snort Author Stands by IDS
Marty Roesch, author of the popular Snort open-source intrusion detection system, discusses the backlash against IDS and its future.If you ask Marty Roesch, intrusion detection is getting a bad rap. A recent report from Gartner Inc. declared the technology to be dead and said it would soon be replaced by uber-firewalls capable of doing deep packet inspection. Add to that the encroaching threat from so-called intrusion prevention vendors who make a living bashing IDS, and you start to see why Roesch is a little testy. Roeschs feelings are certainly understandable, given that hes the author of the hugely popular Snort open-source IDS technology, which he has since expanded and improved upon and is the basis for his current venture, Sourcefire Inc. Senior Editor Dennis Fisher met with Roesch recently to discuss the backlash against IDS, the state of the market and what the future may hold for the technology. What was your initial reaction to the declaration that IDS is dead? I really couldnt believe it. The points they make about the quality and the amount of data [coming from IDS systems] are valid. But their conclusions are all wrong. Its been a real challenge, because people who dont know better take this data [from Gartner] at face value. Its frustrating because weve outlined our strategy to Gartner, and they were dismissive of it. If we were just Snort on a box, theres no way wed be growing at the rate we are. Were up to 85 people and had more revenue in the second quarter than we did all of 2002.
As you said, theres a lot of grumbling about false positives from IDS. Isnt that a legitimate complaint?