Thursday, May 10, 2007

Snort 3.0 licensing

I've been hearing quite a bit of punditry out there regarding Snort 3.0's licensing language and lots of commentary on What It All Means, so I guess it's time for me to clear the air.

If you want to know what Snort 3.0's licensing language is going to be, try reading it. It's available in the first Snort 3.0 pre-alpha release I did last month and we're using the GPL. Apparently it was hard to locate because it was in a file called COPYING instead of one called LICENSE. The origin of naming the license file COPYING comes from the FSF as I recall and is typical of most GPL projects. Anyway, to avoid further confusion (and so I can tell people to look at my blog if it comes up!) I'll post the preamble that we added to the COPYING file before the GPL license language in Snort 3.0 right here:

/*************** IMPORTANT SNORT LICENSE TERMS ******************************
* The Snort Network Traffic Analysis Platform ("Snort") software is the
* copyrighted work of Sourcefire, Inc. (C) 2007 Sourcefire, Inc. All Rights
* Reserved. This program is free software; you may use, redistribute and/or
* modify this software only under the terms and conditions of the GNU General
* Public License as published by the Free Software Foundation; Version 2 with
* the clarifications and exceptions described below. If you wish to embed this
* Snort technology into proprietary software, we sell alternative licenses
* (contact
* Note that the GPL requires that any work that contains or is derived from
* any GPL licensed work also must be distributed under the GPL. However,
* there exists no definition of what is a "derived work." To avoid
* misunderstandings, we consider an application to constitute a "derivative
* work" for the purpose of this license if it does any of the following:
* - Integrates source code from Snort.
* - Includes Snort copyrighted data files.
* - Integrates/includes/aggregates Snort into a proprietary executable
* installer, such as those produced by InstallShield.
* - Links to a library or executes a program that does any of the above where
* the linked output is not available under the GPL.
* The term "Snort" should be taken to also include any portions or
* derived works of Snort. This list is not exclusive, but is just
* meant to clarify our interpretation of derived works with some common
* examples. These restrictions only apply when you actually redistribute
* Snort. For example, nothing stops you from writing and selling a
* proprietary front-end to Snort. Just distribute it by itself, and
* point people to to download Snort.
* We don't consider these to be added restrictions on top of the GPL, but just
* a clarification of how we interpret "derived works" as it applies to our
* GPL-licensed Snort product. This is similar to the way Linus Torvalds has
* announced his interpretation of how "derived works" applies to Linux kernel
* modules. Our interpretation refers only to Snort - we don't speak
* for any other GPL products.
* If you have any questions about the GPL licensing restrictions on using
* Snort in non-GPL works, we would be happy to help. As mentioned
* above, we also offer an alternative license to integrate Snort into
* proprietary applications and appliances. These contracts can generally
* include a perpetual license as well as providing for priority support and
* updates as well as helping to fund the continued development of Snort
* technology. Please email for further
* information.
* If you received these files with a written license agreement or contract
* stating terms other than the terms above, then that alternative license
* agreement takes precedence over these comments.
* Source is provided to this software because we believe users have a right to
* know exactly what a program is going to do before they run it. This also
* allows you to audit the software for security holes.
* Source code also allows you to port Snort to new platforms, fix bugs,
* and add new features. You are highly encouraged to send your changes to
* for possible incorporation into the main distribution.
* By sending these changes to Sourcefire or one of the Sourcefire-moderated
* mailing lists or forums, you are granting to Sourcefire, Inc. the unlimited,
* perpetual, non-exclusive right to reuse, modify, and/or relicense the code.
* Snort will always be available Open Source, but this is important
* because the inability to relicense code has caused devastating problems for
* other Free Software projects (such as KDE and NASM). We also occasionally
* relicense the code to third parties as discussed above. If you wish to
* specify special license conditions of your contributions, just say so when
* you send them.
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; including without limitation any implied warranty of
* Public License for more details at,
* or in the COPYING file included with Snort.

There you go.

Why did we add this preamble? The GPL license is vague in a number of ways as to what constitutes a "derivative product" and there are lots of confused vendors out there who, one way or another, "misinterpret" this language in ways that are very beneficial to themselves. At the same time those vendors infrequently, if ever, actually contribute anything to the projects that they use. While it's not a stipulation of the GPL that you must contribute back to the projects that you use as core technologies in your products, it is a stipulation that you have to hew to the license language. That being the case, we took a cue from Nmap and decided to add the preamble to the license language to provide clarity for users as to what we believe constitutes a derivative product so that there's as little confusion as possible. If you're an end user and you're using Snort as your IDS/IPS technology, this has no effect on you. If you're a commercial company that's using Snort as part of a product offering in such a way that you've breached the terms of the GPL license, you have two choices. You can distribute the source code for your product under the GPL or you can seek an alternative license from Sourcefire.

As I said before, the template that we used for this language comes from Nmap, one of the most popular and wide-spread open source security applications on the internet today. As I have said before in many places, Snort 3.0 is open source technology and is distributed under the GPL. Nothing has changed from the Snort 2.x series except for the clarifications to the license and the option to seek an alternate license from Sourcefire. As with Snort 2.x, technology integrators that don't violate the terms of the license can continue as they have before.

Regarding forking the code base, that's always an option if you don't like the direction that the project is taking but if the goal is license evasion then you're probably going to be disappointed. When you fork a GPL project you can't change the license on the forked code base unless you replace every line of code from the original code base with new code belonging to the group maintaining the fork. But we all know that the purpose of the parties who are discussing a fork doesn't have anything to do with license evasion, right?

If you don't like Snort 3.0's license language you can keep using Snort 2.x, you can use one of the other free IDS/IPS engine technologies out there or you can write your own. It's a pretty straightforward process to build one of these things, I did it in my spare time...

Technorati Tags:
, , , , , ,


At 12:13 PM, Anonymous alan shimel said...

Marty- thanks for your clarification on this. I have posted my response on my blog at

If only I had enough spare time to write my IDS Marty ;-)

At 2:55 PM, Anonymous Anonymous said...

The GPL FAQ has this section:

I would like to bundle GPLed software with some sort of installation software. Does that installer need to have a GPL-compatible license?

No. The installer and the files it installs are separate works. As a result, the terms of the GPL do not apply to the installation software.

Isn't that contradictory to the clarification with respect to proprietary installers?


Post a Comment

<< Home