Are you redistributing Suricata source code and/or binaries outside your organization?
- No -> Don’t worry, be happy. 🙂
Yes, I am distributing Suricata binaries outside of my organization.
- Distributing Suricata binaries requires either strict compliance with the GPLv2, or a license to redistribute Suricata from the OISF.
- GPLv2 compliance requires:
- Making the Suricata source code available to all end users of the binaries upon request including any modifications (patches/enhancements) made to the Suricata source code under a GPLv2 compatible license.
- Making sure that all libraries linked to by Suricata are also GPLv2 compatible, and making the source code to those, plus any modifications available to the end user.
- If Suricata is linked against non-GPLv2 compatible libraries, including proprietary libraries of your organizations you CAN NOT redistribute Suricata in a GPLv2 compliant manner and should contact the OISF for options.
- You may not add additional restrictions limiting your customers rights as provided by version 2 of the GPL license to the Suricata source code, modifications and other source code required for your use of Suricata.
I have not modified Suricata in any way, and I am only linking against libraries to make use of special hardware.
- You are likely to fall into this category if you are distributing unmodified Suricata code but are linking against non-GPLv2 compatible libraries to access a dedicated capture card or some other form of hardware acceleration and/or offload.
- Suricata binaries linked with such libraries cannot be released in a GPLv2 compliant manner as the libraries are most likely licensed with a non-GPLv2 compatible license by the hardware vendor, which would require you, the distributor to contact the OISF regarding licensing options to distribute Suricata.
- Do your end-users have access to the hardware vendor’s library source code? Are they allowed to distribute it to others under the terms of the GPLv2? If no, you need a license from the OISF.
- If your end-user replaced the Suricata binary as shipped by you, with one compiled from the unmodified source code, would your device continue to work? If no, you likely need a license.
Yes, I have modified Suricata.
- If you have modified Suricata you may still be able to distribute it without a license provided all your modifications are made available with the Suricata source code and licensed in a GPLv2 compatible manner. The source code plus your modifications must be made available to your end-users upon request. And they are allowed to redistribute it under the terms of the GPLv2.
- If you want to, or need to keep your modifications proprietary you must contact the OISF regarding licensing.
Yes, I have modified Suricata and/or am linking to libraries developed by us.
- This is pretty much the same as having modified Suricata, as you most likely have modified Suricata to call functions in the libraries you have developed.
- This will require redistribution of the modified Suricata source code along with any linked to library source code under the terms of the GPLv2.
- If you cannot distribute your libraries under the GPL you will need to contact the OISF.
I’m confused, can you tell me what to do?
- We can likely provide some guidance even if that guidance is to recommend you seek legal advice. If reaching out to us, please provide the following information:
- Have you modified Suricata in any way?
- Are you linking Suricata against any libraries NOT included in your software distribution?
- If yes, what are they?
If in doubt, please contact the OISF – firstname.lastname@example.org
GNU General Public License, version 2
Frequently Asked Questions about version 2 of the GNU GPL