The creator of Snort, the open-source network-based Intrusion Detection
System (IDS), says the software is up for an overhaul.
IDS has failed to impress the market, Martin Roesch told delegates at the
AusCERT computer security conference in Queensland. The inability of many to
"tune" an IDS -- minimising the number of false alarms triggered by the
monitoring devices -- has been a major draw-back for the widespread
acceptance of the technology, he said.
The next generation of Snort will include "passive discovery" features,
Roesch said, which will automatically tweak the package's settings.
"IDS is not working as well as had been hoped, or as well as had been
hyped," he said. "People have been saying... IDS can be used to secure your
network. But that's not the role of an IDS."
Now the chief technology officer of US-based Sourcefire, which sells
Snort-based intrusion detection systems, Roesch says auto-discovery features
could be used to apply specific detection policies to particular devices on
If the new software detects an Apache server running on Linux, it will only
look for attacks relevant to that configuration, instead of monitoring the
device for an attack that would affect a Cisco router or Windows server.
"If you don't have a technology that's capable of understanding what's out
there on the network... then you going to have big problems," he said.
Speaking to ZDNet Australia after his presentation, Roesch said the
new features had been discussed within Sourcefire, but an actual release
date to the open-source community is still unclear. "We haven't really
talked about this with the open source community yet," he said. "Some big
changes need to be made to the [Snort] engine to make this work."
Unlike more passive intrusion detection set-ups, re-vamped Snort will be
able to enforce policies through its new capabilities. "The idea is to take
a policy like 'thou shalt not run OS X on the network,' and then if someone
with a Mac plugs into our network... it can tell the firewall to [block
them]," he said.