Cisco Announces Plan to Reinvent Snort 3 IPS

The open-source Snort intrusion prevention system kicks off new 3.0 development, for the second time.

intrusion prevention

Back in 2009, Sourcefire, the lead commercial sponsor behind the widely deployed Snort open-source intrusion detection/prevention system (IDS/IPS), was working on building out its next-generation Snort 3.0 release. It's a release that never happened—that is, until today.

The first alpha release of Snort 3 was announced Dec. 11 by Martin Roesch, the original creator of Snort and current vice president and chief architect in Cisco's security business group. Roesch joined Cisco as part of the $2.7 billion acquisition of Sourcefire, which closed in October 2013.

"Basically with the original Snort 3 project, performance wasn't where it should be, so we spent time analyzing it," Roesch told eWEEK. "We got to the point where we understood what needed to be done, but market conditions changed on where Sourcefire as a company needed to spend its resources."

Around the time of the Cisco acquisition in 2013, Sourcefire began to revisit the Snort codebase for a 3.0 update, according to Roesch. Now his group is at a point where it can pick up the code and move it forward in new ways, he added.

Being part of Cisco is a key enabler for Snort 3.0 development. Roesch noted that Cisco's management understands the value of open-source software. Additionally, as part of Cisco, Sourcefire and the Snort development team have more resources available, which all help to advance the code.

Although the original Snort 3.0 was never released, there were in fact some features from its development that landed in the existing Snort 2.x codebase. The original Snort 3.0 was set to include native support for the IPv6 protocol as well as Multiprotocol Label Switching (MPLS). Roesch noted that Snort now supports both IPv6 and MPLS.

With the new Snort 3.0 effort, one of the primary goals is to implement a user-friendly design.

"The user-friendliness features, for example, might enable users to build a programmatic interface for Snort, so when you run it, it can ask the user what class of attacks to look for," Roesch said. "So we can build more interactive mechanisms for getting Snort running, even at the command line."

The user friendliness is being enabled in part by way of a new command line shell that leverages the open-source Lua language.

There is also a plan to have a simpler language for Snort rules. Roesch explained that the new rules language will be more streamlined than the existing language. The goal for the new rules language is for both humans and machines to be able to more easily read and write Snort policies.

The most current stable open-source Snort release is version, but that doesn't imply that the new Snort 3.0 release will be coming within the next three regular Snort release update cycles. Roesch said he doesn't mind having a Snort 2.10.0 or an even higher number, emphasizing that the development of Snort 3 will take its due and proper course.

Snort is particularly important now, as it is the engine behind Cisco's commercial IPS/IDS efforts as well.

"I expect Snort 3 will be the core of our commercial IPS when we determine that it's ready," Roesch said. "We're built on Snort here, but we have to mature it [Snort 3] and get it battle-tested to make sure that it performs."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.