Snort FAQ

1. In addition to the new licensing, what has changed on Snort.org?
Based upon feedback from the Snort community, Sourcefire has undertaken a complete overhaul of the snort.org web site to increase its usability and functionality. New features include things such as revised navigation, user forums and easier communication with Sourcefire and Snort team. Over the next few months we will continue to update the site with additional features such as webinars, tutorials, enhanced documentation, etc. If you have any feedback or suggestions for improvements, please contact snort-feedback@sourcefire.com.

2. What is a Snort Integrator?
A Snort Integrator refers to any company that distributes Snort or Snort rules in their commercial offerings. This includes vendors bundling Snort or Snort rules, MSSPs and SIMs.

3. What is the relationship between Snort and Sourcefire?
Sourcefire was founded in 2001 by Martin Roesch, the original author of Snort, in response to increasing demand for a commercial version of the popular technology. Today Sourcefire's mission is to combine our open source roots with proprietary innovation to deliver the most effective and comprehensive real-time network defense solutions on the planet. For more information on Sourcefire, visit www.sourcefire.com.

4. Does Sourcefire sell Snort?
While Sourcefire does offer a commercial version of the Snort technology, we do not simply sell Snort. Sourcefire embraces the open source model and is committed to the GPL. Sourcefire leverages the Snort detection engine as the foundation for the Sourcefire Intrusion Sensor, adding an easy-to-use interface, optimized hardware, powerful data analysis & reporting, policy management and administration, as well as a full suite of product services and 24x7 support. All enhancements made to the Snort technology for Sourcefire's commercial offerings are contributed back to the open source community.

5. What is the role of the Sourcefire Vulnerability Research Team?
The Sourcefire Vulnerability Research Team (VRT) is a group of leading edge intrusion detection and prevention experts working to discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.

6. How do I send Sourcefire questions on licensing or other issues?
The open source community is very important to Sourcefire and we welcome your feedback. All questions and comments can be sent directly to Sourcefire at snort-info@sourcefire.com.

back to top

1. What is a registered user?
A registered user refers to someone who has completed the free registration process on www.snort.org. These users receive access to extra features of the site as well as faster VRT Rule updates.

2. Why do I need to register?
Registration is simple and provides users with increased site functionality as well as faster access to new VRT Rules. By registering you are also agreeing to the new VRT Certified Rules License Agreement that prohibits commercial redistribution of new VRT Rules. In addition, registered users have full access things such as to forums, enhanced documentation, webinars and tutorials.

3. What if I do not wish to register?
Registration is not mandatory although unregistered users will not have access to timely VRT Rule updates. Unregistered users will still have full access to the Snort source code and community ruleset but will only receive a static VRT Certified Ruleset with each Snort point release.

4. Will my information be shared with any other parties or used in any marketing efforts?
No. The privacy of the Snort community is very important to Sourcefire. If you choose to opt-out, the information collected at the time of registration will not be used for any Sourcefire marketing efforts. In addition, Sourcefire will not sell or distribute any personal information to 3rd party companies. For additional details, please read our privacy policy.

5. How can I provide feedback or suggestions for the site?
Your feedback on the new web site as well Snort in general is very important to Sourcefire. Please send any feedback to snort-feedback@sourcefire.com.

back to top

1. What are Community Rules?
Community rules refer to all rules that have been submitted by members of the open source community or Snort Integrators. These rules are freely available to all Snort users and are governed by the GPL.

2. What are Sourcefire VRT Certified Rules?
Sourcefire VRT Certified Rules refer to rules that have been tested and officially approved by the Sourcefire Vulnerability Research Team. New VRT Certified Rules released after March 7th, 2005 are governed by the VRT Certified Rules License Agreement.

3. What is a user-defined rule?
User-defined rules refer to rules that an end user writes specifically for their environment. These rules are not contributed back to the open source community. When writing your own rule, a SID between 1,000,001 and 2,000,000 should be assigned to avoid overlap with existing rulesets.

4. How are rules distributed?
There are two sets of rules distributed on the snort.org web site. The "Community Ruleset" is freely available to all users. The "VRT Certified Rulesets" will be made available to users in the following ways:

1. Subscribers will receive rulesets in real-time as they are released to Sourcefire customers - 5 days ahead of Registered users
2. Registered users will receive rulesets when they are published
3. Unregistered users will receive access to a static ruleset containing only the latest rules at the time of each Snort point release.

back to top

1. What does the Sourcefire Subscription Service entitle me to?
Understanding that attackers are constantly developing new methods of attack, uncovering new vulnerabilities and exploiting known weaknesses in commonly deployed systems, Sourcefire created the Sourcefire Vulnerability Research Team to ensure our customers stay one step ahead of the latest threats. With this new subscription service, Snort users can benefit from the hard work of this team at the same time Sourcefire customers do. All Sourcefire VRT Certified Rules will be made available to subscribers in real-time as they are released.

Subscribers receive:

• The fastest access to VRT Certified rule updates - The same quality ruleset developed for Sourcefire customers - up to 5 days faster
• Zero day coverage - The VRT proactively focus on the underlying vulnerability, rather than simply reacting to known attacks
• The ability to submit false positives directly to the VRT - A detailed submission form sends false positives reports directly to the VRT
• Snort training from the source - Learn how to take advantage of the power behind Snort rules with 10% off any Sourcefire Snort Training.

2. Do I have to subscribe to receive VRT Rules?
No. Subscribers receive VRT Certified Rules updates immediately when they are available - 5 days faster. However, these rules are still made available to Registered Users after 5 business days and to unregistered users at the time of each Snort point release (ex. 2.3.0, 2.4.0, 3.0).

3. How much does a Subscription cost?
Introductory pricing for the Sourcefire Subscription is:

1. $195/month
2. $495/quarter
3. $1795/year

4. Does the Sourcefire subscription offer support for rules?
While the subscription does offer guaranteed support for rules, subscribers will be provided access to a special mailing list and user forum to discuss VRT Certified Rules. Sourcefire will remain as active as possible on these lists. In addition, subscribers can submit detailed false positive reports directly to the VRT. If a serious issue is discovered, the VRT will address it as they would for a Sourcefire customer.

back to top

1. What is the GNU GPL?
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.

You can read the complete GPL license here.

2. What is the VRT Certified Rules License Agreement?
The VRT Certified Rules License Agreement enables registered end-users to freely download and use rules that have been certified by the Sourcefire VRT while restricting commercial redistribution.

View the complete VRT Certified Rules License Agreement.

3. What is the Snort Integrator License from Sourcefire?
The Snort Integrator License from Sourcefire is a fee-based license that enables Snort Integrators to distribute VRT Certified Rules with their commercial offerings. If you are interested in an integrator license, please contact Sourcefire at snort-license@sourcefire.com.

4. How is the Snort Engine licensed?
There are no changes to the licensing or distribution of the Snort engine. The Snort engine continues to be distributed under the free software/open source GNU General Public License (commonly known as the "GPL"). With the GPL license, Snort is available free of charge. Users may download the software for free and modify, integrate and distribute it. However, GPL users must abide by the rules of the GPL, which stipulates that if a Snort-derived application is redistributed, the complete source code for this application must also be open and available for redistribution.

5. Why are the rules licensed separately from the Engine?
Sourcefire is extremely committed to the advancement of Snort and the open source community. That commitment has resulted in advances such as gigabit performance capability, the integration of the snort_inline technology, the current and future generations of IP defragmentation and TCP stream reassembly functionality, protocol anomaly detectors and normalization, portscan detection, the unified output subsystem, reams of documentation and two complete code audits. In addition, Sourcefire has dedicated significant resources to improving the quality, accuracy and timeliness of Snort rules. The nature of rule development and distribution has always made the rules research, development and distribution a parallel process with Snort development, with its own licensing needs.

6. Previously Snort and all the rules were licensed exclusively under the GPL, what prompted the change?
Sourcefire has learned of people that were misusing the GPL by distributing the Snort rules tightly coupled with their applications and claiming that the GPL doesn't affect them. This change has allowed Sourcefire to support the open source model by better identifying when someone is using the Snort rules in a closed source fashion without commitment to the open source philosophy. For developers building open source applications using Snort rules or Snort end users in general, the change in the licensing policy has no effect. The changes in the license apply specifically to organizations that are commercially redistributing the rules for either a product or a service offering.

7. With the commercial license option, is Snort still an open source solution?
Yes, Snort is still an open source technology licensed under the GPL and Sourcefire remains completely committed to the open source values and philosophy. We believe the open source model of development and distribution is the most efficient way to produce high-quality software.

8. What license is used if I contribute code for the Snort Engine?
When contributing code or bug fixes for the Snort Engine, the GPL applies.

9. What license is used if I contribute a rule for Snort?
When you contribute a new rule for Snort, you will have the option of having this rule included in the Community Ruleset or considered for inclusion in the VRT Certified Ruleset. Rules submitted to the Community Ruleset will be covered by the GPL. If you would like to have your rule considered for the VRT Certified Ruleset, you must agree to assign all ownership and copyrights over to Sourcefire. If this rule is selected, your name will be published in the associated documentation declaring you a "contributor" to that rule. Prior to submitting a new rule for the VRT Certified Ruleset, Sourcefire recommends that you carefully read the agreement and contact us if you have any unanswered questions.

10. If I am currently running Snort, do I have to change anything or do anything differently under this new licensing model?
No, end-users can continue to use Snort without any changes.

back to top