Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Dailydave: Re: Sourcefire Acquired by Check Point Software

Re: Sourcefire Acquired by Check Point Software

From: Renaud Deraison <deraison_at_nessus.org>
Date: Sat, 8 Oct 2005 20:59:41 -0700

On Oct 8, 2005, at 17:04, Frank Knobbe wrote:
>
>
>> A number of companies are _using_ the source code against us, by
>> selling or renting appliances, thus exploiting a loophole in the
>> GPL.
>>
>
> I wonder what "loophole" he's talking. The license seems pretty clear.
> Anyway...

There are several loopholes on many levels :

(a) You can take any GPL software, put it as-is on an appliance, call
your appliance the "FOOBAR 3000" and sell FOOBAR 3000 Scanners all
over the place. You therefore hide any credit to the original program
you took and nobody knows that your FOOBAR 3000 is using (Nessus|
Snort|.*)

(b) You take any GPL software, make substantial changes to it, and
"rent" the appliance to your customers. You're not obligated to give
the source code to your customer.

(c) You take any GPL software which produces content, and wrap a web-
based management GUI which does not link to it per se, but uses the
results. Now the GPL is very fuzzy about the output of the program.
It actually says the following :

<< The act of running the Program is not restricted, and the output
from the Program is covered only if its contents constitute a work
based on the Program (independent of having been made by running the
Program). Whether that is true depends on what the Program does. >>

So it's up to the owner of the copyright to decide what kind of
licensing the output is. For instance, in the case of Nmap Fyodor
decided that you're not allowed to process the results from a scan
launched by your proprietary web GUI (cf nmap-3.XX/COPYING) -- in
that way he cleared the ambiguity. We find that kind of restriction
to be very extreme (especially if you're talking about "free"
software) and decided to not go with it, but at the same time there
should be some middle ground between considering the output as public
domain or restricting its use drastically.

[...]
> The reason is that Snort is free, and will remain free. SF makes money
> on products they built on it, like their RNA stuff.

Great example. RNA is a sniffer. Snort is a sniffer. RNA tunes Snort
so that its alerts are better qualified.

Don't you honnestly think that there's a lot of redundant technology
here ? From an architectural point of view, don't you think it would
have been cleaner, more effective and more robust to patch snort so
that it performs both passive VA analysis and intrusion detection ?
It would probably have been more real-time, but also quicker and more
powerful to have the same process perform these two tasks (even if
you stick one process per CPU -- have some shared memory so that the
RNA part can tune the IDS part). If Snort and RNA had been merged in
one single product, Snort would be a much better IDS.

Don't you think the fact that Snort was there for anyone to pick up
and put on an appliance drove the decision to choose what is, in the
end, a more complex solution ?

                                 -- Renaud
Received on Oct 08 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos