Open source IDS Snort is quietly ushering in changes to its license agreement that allows it to charge for timely, tested rules. Sourcefire, manager of the open source project, said some vendors relying on those rules for their own commercial products aren't pleased.
"Sourcefire [is] preventing other commercial entities from profiting from their work [specifically, rules] without contributing back to the community," said Gary Hein, service director for Burton Group's Application Platform Strategies division. "I don't see this creating heartburn for Snort developers and end users, but mostly for commercial vendors that have IDS appliances based on Snort."
Sourcefire's chief marketing officer, Michele Perry, said the changes were announced to customers March 7 and that most of the transition has gone smoothly. However, "a few folks needed to add it to their budgets, and others [commercial vendors] understand it will impact their business in a big way," she said.
The popular IDS tool is the basis for about 45 commercial products, including those produced by SnapGear, Lucid Security, StillSecure, Winsnort.com Intrusion Detection and PacketAlarm, to name a few. Internet Security Systems products also use Snort rules.
Perry said a list of "certified" vendors using Snort will be issued soon. Though she declined to name any participants, StillSecure's Chief Strategy Officer, Alan Shimel, said his company will be an official distributor of products using Snort rules. He fully acknowledges the years of hard work that have gone into making Snort the leading product it is today.
"Sourcefire's rules development process is backed by several million dollars worth of computer equipment, plus salaries for seven full-time vulnerability researchers and rule writers," said Richard Bejtlich,
Among the changes will be notification of new rules that can be pushed out automatically instead of having to check the Web site regularly. The rules will also be subject to strict testing prior to release. For example, "People are staying through the night to test [rules based on Microsoft's Patch Tuesday releases]," said Perry.
"Those using Snort to monitor their enterprise can register and receive rules for free, five days after paid subscription holders," said Bejtlich. "Those selling Snort within commercial products or services pay a fee that is minor compared to the value of commercial contracts and foregone research and development."
Updated Snort rules will be available as part of a subscription service, costing companies $195 per month, $495 per quarter or $1,795 annually. Educational institutions will be eligible for a discount. Others not concerned as much with timeliness can wait five days and get updated rules for free.
Perry said customers appreciate "the time, effort and equipment that keeps Snort at the top of its game. They know that whatever grows the Snort ecosystem is good for them."
Commercial vendors taking advantage of the open-source vulnerability scanner Nessus got a similar surprise in December when its project managers announced they would no longer offer free, timely "plugin" programs that contain vulnerability and testing information to such product and service vendors.
Nessus developer Ron Gula believes other open source projects, like spam blacklists, could also end up seeing commercialized updates. It remains to be seen how many open source tools and programs will follow the paths blazed by Nessus and Snort to support further development.