Snort Author Stands by IDS

Marty Roesch, author of the popular Snort open-source intrusion detection system, discusses the backlash against IDS and its future.

If you ask Marty Roesch, intrusion detection is getting a bad rap. A recent report from Gartner Inc. declared the technology to be dead and said it would soon be replaced by uber-firewalls capable of doing deep packet inspection. Add to that the encroaching threat from so-called intrusion prevention vendors who make a living bashing IDS, and you start to see why Roesch is a little testy. Roeschs feelings are certainly understandable, given that hes the author of the hugely popular Snort open-source IDS technology, which he has since expanded and improved upon and is the basis for his current venture, Sourcefire Inc. Senior Editor Dennis Fisher met with Roesch recently to discuss the backlash against IDS, the state of the market and what the future may hold for the technology.

What was your initial reaction to the declaration that IDS is dead?

I really couldnt believe it. The points they make about the quality and the amount of data [coming from IDS systems] are valid. But their conclusions are all wrong. Its been a real challenge, because people who dont know better take this data [from Gartner] at face value. Its frustrating because weve outlined our strategy to Gartner, and they were dismissive of it. If we were just Snort on a box, theres no way wed be growing at the rate we are. Were up to 85 people and had more revenue in the second quarter than we did all of 2002.

As you said, theres a lot of grumbling about false positives from IDS. Isnt that a legitimate complaint?

A lot of the false positives are non-contextual events. Theyre things like Code Red attacks against Linux servers, for example. So theyre things that are actual attacks, but theyre just not aimed at the right place. This is important because it speaks directly to Gartners problem. Its all just noise coming out of an IDS to them.

How concerned are you about the threat from intrusion prevention technologies?

Right now, not much at all. There are so many problems around deploying it that no ones willing to bet the stability of their network on it. Theres no supporting evidence that it works at all. I think ultimately it becomes an upgrade to firewalls down the road.

How is the work on the new RNA [Real-time Network Awareness] technology coming?

Its going well. Ive been doing some of the development myself. Were going to have a beta [this month]. Were working on the GUI and some back end stuff right now. The biggest thing is that were doing passive OS and service fingerprinting. This gives you continuous monitoring and sees problems as they happen.

How will that improve the quality of the data coming out of the system?

Well, were looking at different ways to do protocol identification, for example. So that you dont identify SSH on port 80 as HTTP.

Whats the reaction been from potential customers?

Weve had a lot of interest from some big companies that see applications for the data. It gives you a more efficient way to look at the IDS data. And some of our partners, like Sun, are excited about RNA.