Just about every network administrator on the planet knows about Snort. It's probably the most popular intrusion detection system in use today. It's been around since 1998, when Martin Roesch wrote the original 1200 lines of code over the course of one week.
The first version was basically just a packet sniffer. From there, Snort quickly grew into the high-powered intrusion detection and prevention system that it is today. It became so popular and so important that by 2001, Roesch had parlayed his original idea into not only a hugely popular open source project but also a commercial product under the Sourcefire brand.
Snort turns nine years old this month, and it's in the process of getting a major overhaul. Roesch, who is lead architect for the rewrite process, said that Snort 3.0 will have a new architecture and streamlined code base. One of the major features that's being designed into the new architecture is contextual awareness. Administrators will be able to give Snort data about the network it runs on and the systems that reside on the network. This feature will help minimize tuning, prioritize events, and guard against evasion techniques used by intruders.
The new streamlined code base will allow developers to more easily create specialized traffic analyzer components. Another major improvement will be better support for multi-core CPUs, which will let Snort run parallel analysis on network traffic. Roesch said that the idea with parallel analysis is to put all of Snort's detection logic into modules so that the modules can be run as separate threads. A new analytic subsystem is being designed to handle all of the parallel threads.
In the big picture, traffic will flow into Snort from various sources, which include the OS's network layer, an IP defragmenter, a TCP stream reassembler, packet and data decoders, a flow management component, and possibly other hardware and software that communicate with Snort through a data source API. A dispatcher handles data flow to and from the various other components of Snort, such as the analytic system, the action system, and the Snort command shell.
Overall, the redesign effort is a tremendous undertaking, and it should be worth the brain power expense. Roesch said that he believes "ultimately our users will benefit tremendously from the design of the new engine and that it will be a platform that will work well for at least the next 9 years."
Snort 3.0 is due out sometime in the latter part of 2008 with a public beta slated for sometime during the first half of the year. If you're interested in the nitty gritty details of the new design, then be sure to keep an eye on Roesch's Security Sauce blog (at the URL below) where he'll give more details as the weeks roll on.