effects of Cisco acquisition of sourcefire on SO?

[controlling chaos]

have there been any thoughts on how the Cisco acquistion of Sourcefire (specifically future snort revisions) will affect SO?

Off the top of my head, should I be considering switching to suricata? Or will the situation turn out to be something like happened with tripwire where there was a source code fork with the older GPL'ed version still being used but not developed?

[controlling chaos]

Clarification: Cisco did not acquire tripwire, was using tripwire as an example.

[Doug Burks]

Please see the Sourcefire blog post concerning the acquisition:
http://blog.sourcefire.com/Post/2013/07/23/1374581400-cisco--sourcefire--now-bigger-stronger-faster/

"they are committed to continued innovation and support of our open
source projects, too."

Even IF the worst case scenario of open source snort going away
happens, it's trivial to switch to Suricata at any time:
https://code.google.com/p/security-onion/wiki/FAQ#I'm_currently_running_Snort.__How_do_I_switch_to_Suricata?

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.



--
Doug Burks
http://securityonion.blogspot.com

[Jake Sallee]

I *THINK* the reason that Cisco bought SourceFire was licensing based.

If I remember correctly Cisco's IDS platform is based on SNORT and they need to buy licenses from SourceFire in order to be able to resell it as their own product.

They probably did a cost/benefit analysis and found out it was cheaper to buy the company than to keep paying the license fees.

They have done this before with WebEx. They were WebEx's biggest customer by a wide margin and they found out it would be cheaper to buy webEx than to continue to pay them.

[controlling chaos]

Hm. That's an interesting take. Still, given Cisco's record of assimilation and hostility to open source or otherwise non-proprietary tech, I'm still concerned enough that I'll probably rabbit the first sign they start closing it up. Oh, wait...my tin foil hat is showing 8)

[Neil C.]

Are you 100% sure about that because I REALLY have to disagree. I have dug under the covers on my Cisco IPS sensors (via the 'service' account which gives you full root privs) and there is nothing that looks even remotely snort-like. If there was I would have ported the Emerging Threats rules over ages ago.

I have had conversations with a lot of people on the Cisco IPS team over years, including Jerry Lathem who I think was one of their original developers. I was constantly harping on the fact that their sigs don't detect malware worth a damn, and showed them how I was using a snort-to-cisco rule conversion tool (s2c) with fairly good success.

I think the acquisition was just a realization by Cisco that their IPS sucks and, more importantly, their ASA-CX NextGen Firewall sucks also. Rebuilding was not an option given how long their development cycles take (i.e. forever)

My guess is that Cisco is going to get either Snort or the SourceFire-branded version to run as a software module inside of the ASA 5500-X series firewalls, which should be easy given how they are doing it with their own IPS now. Either way you'll have to pay for it (this is Cisco we're talking about). But I also assume they'll keep Snort open-source and won't do anything to severely piss off the community. Still - I think Suricata is a better long-term option but that's a topic for an entirely different thread.