14 DAY TRIAL // Cisco announced on Thursday the availability of an early release of what would become intrusion prevention system Snort 3.0, a complete re-write of the original solution.
Snort was a project of Sourcefire, developer of network security solutions, both hardware and software. In July 2013, Cisco started the acquisition process of the company, for the sum of $2.7 / €2.171 billion. The procedure completed a few months later, in October.
Since purchasing the developers of Snort, Cisco maintained the original distribution of the IPS, which has more than 5 million downloads, and worked on the new version of the product, as envisioned by its original developer, Marty Roesch, founder of Sourcefire.
New code for new ideas
That version reached a beta stage, called Snort Security Platform (SnortSP). However, some of the ideas Cisco thought for the product could not be implemented through the base source code, so a complete re-write was in order.
“We took Marty’s initial rethinking and expanded beyond that, testing different concepts of multithreading, detection, interaction, programmatic interfaces, etc. This all now culminates in the alpha release of project ‘Snort++’, which will become version Snort 3.0,” explains Joel Esler, Threat Intelligence Team Lead and Open Source Manager at Cisco.
The current release is far from perfect, and it is intended only for testing and reporting the glitches to the developers. No software in alpha development stage should be used for production, and this one isn’t, either.
New Snort is more accessible
Esler reveals in the blog post some of the features of the new product, which seem focused on a different class of users that does not have the necessary knowledge for customizing an IPS product.
The user-friendly design planned by Cisco includes verification of the configuration on startup, faster deploying of Snort and auto-detection of all protocols, and custom HTTP buffers.
Writing rules should be easier starting with Snort 3.0, as the new developers worked on simplifying the rule language.
Improvements have touched on the command line shell too, which is now secured to localhost and permits reloading a configuration or pausing and resuming detection.
Cisco plans on keeping Snort users up-to-speed with the new developments of the product, promising to hold webinars, publish white papers, as well as code that can be tested.
All the changes made in the new Snort can be tracked by the users, as the company made the code public, on GitHub.