Snort was created in 1998 by Martin Roesch as an open-source network intrusion detection system (NIDS). It quickly became one of the most widely used IDS/IPS solutions in the world.
- 1998: First public release of Snort
- 1999: Introduction of rule-based detection
- 2000: Snort 1.5 released with improved performance
- 2001: Snort 2.0 released with major architectural improvements
- 2003: Formation of Sourcefire by Martin Roesch
In 2005, Martin Roesch founded Sourcefire to provide commercial support and development for Snort. This era brought:
- Professional threat research team
- Commercial rule subscriptions (VRT rules)
- Snort 2.8 and 2.9 with significant improvements
- Integration with other Sourcefire products
When Cisco acquired Sourcefire in 2013 for $2.7 billion, Snort became part of Cisco’s security portfolio. Key developments:
- 2015: Snort 2.9.8 with improved performance
- 2017: Snort 3.0 beta announced (complete rewrite)
- 2020: Snort 3.0 stable release
- 2021+: Continued development under Cisco Talos
| Year |
Version |
Notable Changes |
| 1998 |
1.0 |
Initial release |
| 2001 |
2.0 |
Major architectural improvements |
| 2005 |
2.4 |
Sourcefire formation |
| 2010 |
2.9 |
Long-term stable branch |
| 2020 |
3.0 |
Complete rewrite with modern architecture |
- Written primarily in C
- Rule-based pattern matching
- Preprocessor architecture
- Output plugins for alerting
- Complete rewrite in C/C++
- Modular architecture
- Improved performance and scalability
- Better multi-threading support
- Lua scripting for rules
¶ Impact and Legacy
Snort’s contributions to cybersecurity:
- Pioneered open-source NIDS/IPS: First widely adopted open-source network security monitoring tool
- Industry standard: Became the de facto standard for signature-based detection
- Rule language: Snort rules became the industry standard format
- Training and certification: Spawned an entire ecosystem of training and certifications
- Commercial products: Inspired numerous commercial IDS/IPS products
Snort remains actively developed:
- Snort 2.9.x: Maintenance mode (legacy)
- Snort 3.x: Active development and new features
- Community: Large global community of users and contributors
- Rules: Both community and subscriber (VRT) rule sets available
- Integration: Part of Cisco’s broader security ecosystem
| Feature |
Snort |
Suricata |
| First Release |
1998 |
2010 |
| Architecture |
Single-threaded (2.x), Multi-threaded (3.x) |
Multi-threaded from start |
| Rule Language |
Snort rules |
Snort-compatible + extensions |
| Development |
Cisco Talos |
OISF (community) |