Last week there was some discussion in the #snort IRC channel about why Debian distributes such an ancient version of Snort, namely version 2.3.3. This release is more than 2 years old and no longer supported by SourceFire. The snort.org website says about the old versions:
You should not use these unless you really know what you are doing. Many bugs may have been fixed, including remote vulnerabilities
Even though Debian is able to fix any security bugs themselves, and they don’t need to rely on SourceFire for this, Snort 2.3.3 is still going to be inferior to the recent 126.96.36.199. Why? Well recent Snort versions have many more and improved detection options, such as a better pattern matcher, defragmentation preprocessor, improved stream preprocessor, smtp plugin, etc, etc.
So why is Debian not updating Snort? The answer can be found in the Debian bugtracker. Snort is released under the GPL and up to and including version 2.3.3 included a ruleset. But since then only Snort itself is distributed under the GPL, the (VRT) rules are now under a less free license. Of course the user can get them for free, but with a 30 day delay and only after registering with SourceFire. Big deal, I would say, just remove the rules from the package and put some doc describing how to get rules. But the Debian maintainer doesn’t like this idea:
“Consequently, upgrading to 2.4 would mean providing just an IDS engine, not an IDS “service”.” (source)
I think this reasoning makes no sense, for a number of reasons:
- Snort can be useful even without any rules: it can detect anomalies in stream tracking, dns, ftp, http, smtp. It can provide statistics, capture traffic.
- Managing the Snort rules through the very static Debian packages system make no sense in the first place. Many of the rules change weekly or even daily. Debian would never update the package for this. Oinkmaster should be used for this, and Debian provides this tool as well.
- People can write their own rules.
- There still are many free rules available. The Snort community rules are GPL licensed, Bleeding rules are BSD licensed. Together they have thousands of rules.
So Debian, please make your Snort package usable again, and update it to the latest stable version! And while you are at it, provide an inline enabled package as well 😉
This is a great example why I never use a port/packaging system when installing Snort, even (gasp) on my beloved FreeBSD.
Most importantly, I install from source because I can deploy the new version immediately, and not wait for an updated port or package. Furthermore I can customize it however I like.
Much as I like Debian, this is a dumb idea on the package maintainer’s part. The “engine” vs “service” idea is particularly stupid.
Debian is so damn ugly sometimes.
If you want to protect a network, you *awfully* need a curent ruleset and a well-working, sophisticated version of SNORT!
Those blind freaks!
Just for the record, some time to develop the rulesets made most of Debian’s concerns go away, and Snort 2.7 will be in the next release (lenny / 5.0).
Pingback: Week’s Links | lonerunners.net
Kind of late … 🙂
Compile my friends, compile. Funny exercise.