Meet Martin Roesch - Creator of Snort

Patrick Gray interviews Martin Roesch, creator of the popular intrusion detection engine Snort and CTO of Sourcefire Network Security.

Martin Roesch is the CTO and founder of Sourcefire Network Security as well as the creator of the borderline indestructible open source Snort Intrusion Detection system engine.

Widely regarded as a significant pioneer in the field of network based attack detection and prevention, Roesch is also one of the first technologists to commercialise an open source product. Sourcefire floated on the NASDAQ earlier this year, but it hasn't always been smooth sailing for Martin or Source Fire for the last couple of years.

A proposed US$225 million take over of his company by Check Point Software Technologies was kyboshed by US regulators earlier this year. It seems Sourcefire software is all over some particularly sensitive US governments networks and the authorities didn't want the technology falling into the hands of Checkpoint, an Israeli company.

If that weren't enough, Sourcefire is now being sued by angry share holders who claim that the prospectus leading up to the float was misleading. Sourcefire's share price has plummeted from a debut high of around eighteen dollars to its current level of around nine dollars.

In this interview with Patrick Gray, Marty Roesch talks about the future of Snort, the commercialisation of open source and angry shareholders.

Patrick Gray (PG): So Snort is still going strong after all these years?

Martin Roesch (MR): Yes it is and in fact we are continuing to move the ball forward. We just recently released a version 2.8 of Snort which has got some nice new features in it. One of the biggest and longest running wish list items has been taken care of which is a feature called 'Port List'. It allows us to take a single rule and apply it to multiple ports. We have been talking about that for about six of seven years now so it's about time we got it in there.

PG: You finally did it. Now a lot of open source advocates were quite skeptical when you first formed Sourcefire and decided to commercialise this open source technology that you had created. Do you think those concerns have been allayed now? Have the open source fundamentalists chilled out in their rhetoric?

MR: Yeah. I think largely they have. I think the people who thought it was the worst idea when I started a company where actually the business people. They didn't think the business model would work. Those people have kind of seen the writing on the wall to a large degree. Sourcefire's success speaks for itself in terms of the business model. In terms of the open source model and the evolution that we have taken with our open source software, I think people have gotten relatively comfortable with it. There are hardcore open source purists who always have their bones to pick but the pragmatists are pretty happy with where we've come down in a comfortable middle ground between closing the source up and being completely wide open. I think we've reached a good comfort zone that our users are comfortable with as well.

PG: So the best way of describing the way this works is that you have Snort which is an open source product and then you have your fancy commercial versions of Snort -- that same engine but with a lot of other software built around it.

MR: Yes that is exactly it. We have the 3D system which we built at Sourcefire and it's pretty easy to deploy one Snort sensor but deploying ten or a hundred of them is actually a pretty big challenge. What Sourcefire does is make that problem easy to solve. So if people want to deploy a single Snort sensor and really get deep down in the engine and stuff like that and even two or three or five, they can do that and they can see how easy or hard it is to make that work. But when you get into the enterprise, especially in these large deployments, that gets very complex and if they are very broadly distributed, the real problem becomes managing all of the stuff and managing all of the information that is out there. Sourcefire does a very good job at doing that. We provide all the great engine technology, we make it run as fast as it can run and then we build all the other stuff that you need to scale it.

PG: It is interesting too that people are still using Snort because in technology terms it's pretty ancient these days. How many downloads are you still racking up every week or month?

MR: I haven't seen the download rates recently but last I knew we were still doing about eight to ten thousand downloads a week... it is pretty amazing. The question on my mind is, who are all these people who are downloading this kind of "gearhead" network analysis software? The other kinds of things that have been interesting are that we get people to register on now. Registrations have been slowly increasing and the rate of registration hasn't gone down at all in the two years since we introduced that. It's just a steady stream of people.

PG: We are seeing other companies follow in your footsteps to a degree with the hybrid commercial open source business and the one example that I can think of is Zen Source.

MR: Yes. I believe our chief marketing officer is actually an investor in the company.

PG: So seems that the business to a large degree has been a success. You were just named as one of Maryland's fastest growing companies by Deloitte, the global consulting firm, which cites a revenue growth of a factor of twenty since 2002. So you can declare this model of commerce a success, can't you?

MR: Yes I would say. Back in the early days I was starting the company and every body said it was a dumb idea. I had pretty low expectation quite frankly but the model has really proved itself. I think if you look at our growth the numbers get pretty silly when you start looking at the percentages and things like that. It did really prove itself.

PG: It hasn't been all plain sailing has it? There was the aborted acquisition of Source Fire prior to you guys floating on the Stock Exchange. Check Point expressed a real interest in actually buying Source Fire and acquiring your technology but that acquisition never went ahead did it?

MR: No, it sure didn't. There were complications with the US federal government policies...

PG: I can almost hear you speaking through gritted teeth right now.

MR: It was a very interesting process and it was extremely educational.

PG: It would have been quite hard.

MR: Yeah it is never nice to have a US$225 million deal taken away because the government doesn't like it because they've got security concerns around it. It is kind of a back handed compliment that our stuff was so good that they didn't want it under foreign ownership.

PG: We are getting into tricky territory here but some disgruntled share holders are actually suing Sourcefire. They are claiming that the prospectus prior to the float was misleading. Is that litigation still ongoing?

MR: Yes it is.

PG: Beyond that, is there anything you can tell us?

MR: No I can't.

PG: I figured that might be the case. The share price has also really come off the boil since the float. That was largely to do with some contracts not coming in that were expected wasn't it?

MR: Well the discussion about the quarterly numbers is part of the record and it kind of stands on it's own merit. That was an issue and these things are sometimes a little bit unpredictable but we try to do our best. I think ultimately we have a good model and it can prove it self.

PG: Do you feel comfortable now being the executive large publicly traded company or do you feel much more at home with a team of coders working on products?

MR: I am a technology guy so that is where I am most comfortable at. One of the reasons to do Source Fire is to grow my set of capabilities from a pure stand point of maximising this experience. I treat it like a learning experience. If you get into a situation like this where you've got a lot of really capable people and you've got a good company and a strong technology and a good business model, you would be a fool not to maximise the opportunity in terms of bettering yourself as a person.

PG: And bettering your bank account. Adding a few zeros wouldn't hurt either, would it?

MR: No, that definitely doesn't hurt, but that is never a certainty. It's the learning process that is great from a personal standpoint. So you start of with that -- and ultimately my comfort zone, the place where I am most familiar and I probably enjoy the most is talking to the engineers and putting big ideas up on the white board and trying to turn them into products.

PG: So you came here to deliver a couple of seminars in Sydney and Melbourne?

MR: Yes. There are several topics we are going to talk about which is our enterprise threat management strategy and the philosophy on enterprise threat management. We are going to talk about Snort's history and also talk about the future of Snort and Snort 3.0 and our Sourcefire products. We are also going to talk a little bit about thoughts on the open source model and how it fits into Snort and Clam AV.

PG: Speaking of Clam AV, you've actually acquired another company haven't you?

MR: Yes we acquired the Clam AV project which was right in the midst of forming a company when we knocked on their door and started talking to them about putting the groups together.

PG: Is this a case of you guys becoming a little bit more mainstream in terms of offering a breadth of products? Because we are seeing the point solution providers just disappear in security. Is this really a case of you guys trying to broaden your set of products so you can stay in the game in the long term?

MR: We haven't really been a point product provider in quite some time. If you look at Snort plus RNA, we've actually had a pretty interesting network based offering. The thing that Clam AV brings to the table is the ability to deal with malware more effectively. So of course viruses, Trojans and things like that in all the channels so they can (control) things like email, instant messaging, web and things like that. The interesting part of it for me is thinking about the technologies that can be built around this anti-malware foundation. It's an extremely strong offering. It's got a community that is even larger than Snort's and it's got a huge signature database and it's got a group of dedicated developers who are very good at what they do. From my view point it was a very strong acquisition for us and extremely complimentary to our existing capabilities and that was branched out into areas that are very complimentary.

This Q&A was transcribed from the Risky Business security podcast on, found here. Transcript by Danie Smallwood.

Read more on Data breach incident management and recovery