The FISMA Focus IPD

The Suricata Engine was developed with funding from the US Department of Homeland Security and private sector companies. The Suricata code can be downloaded here.

Matthew Jonkman, CEO of Emerging Threats Pro Inc., founder and board member of OISF, and head of the core team that developed Suricata, says that the implied support of DHS provided by its funding of projects through its Homeland Open Security Technology (HOST) program paves the way for private-sector products.

Because the Suricata Engine was partially funded through the HOST program and built under contract by the Georgia Tech Research Institute, the Suricata downloads and HTP Libraries are covered by the GNU General Public License (GPL) version 2.

Rather than trying to stop an intruder from gaining access to a network, the Suricata Engine assumes the attacker already has access. The Engine is used by data security managers to determine what protocol is being used to transmit data on the network, regardless of the port being used, says Jonkman. By understanding what protocol is being used, the network manager protects network data and ensures that it cannot leave the premises.

The original plan called for DHS to fund the Suricata program for up to four years, Jonkman tells us. However, funding will end closer to the two-year mark. “2012 is the make-or-break year for Suricata,” he notes, but he is optimistic the program will survive the funding cutoff.

Members of OISF provide much of the technical expertise, computing resources, and manpower to develop the code, Jonkman says. “The donated developers are worth gold to us.”

The separation of responsibilities between the public and private sectors was clearly laid out from the start. DHS provided the startup funding for the project, but it also has provided crucial programming resources and the testing of the engine on its own and other government agency networks and servers to ensure that the products can meet the security requirements of various agencies.

In so doing, DHS not only is providing the proof-of-concept; it is also obtaining feedback on how the product works in a live environment, giving commercial companies that want to productize the Suricata Engine valuable hard data that can be used to promote sales, Jonkman says. While DHS does not officially endorse specific products, commercial customers know that the Engine has been tested by DHS on a variety of networks.

One company that has implemented the Suricata Engine into a commercial product is nPulse Technologies Inc. of Charlottesville, Va. Its HammerHead offering is a high-speed, continuous recording product that provides full packet capture of traffic for retrospective network analysis and replay. HammerHead Capture & Replay combines flow-based session analytics with stream-to-disk recording at up to 20Gbit/s, the company says.

Competitive intrusion detection systems send out alerts that often contain a lot of data that is not contextual, says founder and chief technology officer Randy Caldejon. nPulse’s HammerHead can collect all packets that are associated with a specific alert, allowing the security manager to better understand why an alert was generated and determine what steps should be taken next.

In addition to Suricata, nPulse uses two additional technologies developed by public and private partnerships. SiLK, the System for Internet-Level Knowledge, is a collection of traffic analysis tools developed by Computer Emergency Response Team (CERT) ‘s Network Situational Awareness (NetSA) group to facilitate security analysis of large networks. nPulse also uses Bro, an open-source network intrusion detection system developed by Vern Paxson, who continues to lead the project.

Caldejon says he is a fan of open-source trusted products that are spun out of the government because the products carry the implied cachet of government acceptance, and, because they are open-source, they have the support of a large, experienced community of developers who test and refine the technology.