Cisco Continues to Advance Snort 3 Network Security Development

The open-source Snort intrusion detection and prevention system (IPS/IDS) is gearing up for a major update that will influence the future of Cisco's next generation security appliances.

In a video interview with eWEEK, Marty Roesch vice-president and Chief Architect of Cisco's Security Business Group discusses the current state of the Snort 3.0 project. Roesch is the original author of Snort, which became the foundation of his company Sourcefire, that Cisco acquired for $2.7 billion in October 2013. Work on Snort 3 has been ongoing since at least December 2014, and since the effort got underway has been viewed as a re-thinking of how IPS/IDS works. Roesch said that Snort 3 is largely feature complete at this point and is now going though its beta development cycle.

"It's pretty much a re-write," Roesch said of the Snort 3 codebase. "There were sins of my youth in the original Snort engine, reflected in things like the Snort rule language and configuration system."

Roesch said that the rule language has been normalized in Snort 3, such that it is more consistent. Snort 3 has also been designed for modern systems with a multi-threaded and multi-architecture approach.

While some parts of Snort are changing, the core idea of enabling extensibility, which it has had since Roesch created the open-source project in 1999 will remain. Roesch explained that Snort provides a framework for intrusion detection, which enables users to drop in additional capabilities as needed.

Snort 3 when completed will be a foundational technology inside of Cisco's Firepower security appliances and AMP (Advanced Malware Protection) security technologies.

"It (Snort) will be the core of the NGFW (Next Generation Firewall) engine that does deep packet inspection and protection," Roesch said.

Why Cisco

Roesch also commented on why he still works at Cisco, four and a half years after Sourcefire was acquired. While tech company founders frequently depart after their prized startups have been acquired, Roesch remains motivated to work at Cisco because of the opportunities that it provides and the massive data sets he can learn from. Roesch noted that the Cisco Talos cyber-security research team reports to him, providing him with insights from across a large cross section of the internet.

"If you're a security geek, it's a really cool place to work," he said.

Watch the full video interview with  Marty Roesch above.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.