In 1998 Martin Roesch launched the open source Snort Intrustion Prevention System (IPS). Three years later, he founded Sourcefire to lead the commercial efforts around Snort and enterprise security. Today Sourcefire continues to prosper, reporting $223.1 million in fiscal 2012 earnings.
Where does that leave the open source Snort project after all these years?
In an exclusive interview with eSecurity Planet, Roesch explains the role that open source security still plays in his firm, 15 years after it helped him start it all.
Roesch noted that the open source Snort project is still primarily controlled by him and Sourcefire, and that’s not necessarily a bad thing.
“In the early days of Snort we had lots of contributions,” Roesch said. “As we’ve matured over time, we’ve come to realize that there are things that should belong in Snort and things that should not.”
As such, over time the Snort project has focused on core functionality and external programs that extend non-core capabilities. That said, Roesch noted that the Snort open source development mailing list activity has been creeping up in recent years.
Snort can stand on its own without Sourcefire, in the sense that it is a functional IPS system that anyone can use. Roesch noted that keeping IPS up-to-date is critical, which is the role that Sourcefire plays.
“If an asteroid fell on top of Sourcefire headquarters and we all ceased to be, somebody else would have to take the ball and run with it,” Roesch said. “It will go stale if you don’t maintain it.”
Individual Linux distributions that include Snort typically package Snort themselves. Sourcefire’s staffers produce the tarball source file that can then be packaged.
Open Source vs. Proprietary
As a commercial entity, Sourcefire doesn’t put everything it develops into the open source community.
“There are things that we haven’t open sourced that I think we should and there have been things that we have open sourced, that I’m very happy that we did,” Roesch said.
Sourcefire’s RNA (Real-time Network Awareness) is one such technology that is not open source. RNA is a passive sonar that can enumerate devices on a network. That said, Roesch noted that some other cutting edge capabilities, including anti-evasion technology, have landed in the open source codebase.
Snort does benefit from contributions that come in via the open source community. Often those are bug fixes, and sometimes small features. Large features do not typically come in via the open source community.
“We don’t see big contributions like we did back in the early days of the project,” Roesch said. “We’re building a commercial product which means if you’re going to put code into it, it has got to be vetted.”
There are also performance and configuration items that Sourcefire needs to monitor.
“We do still see a lot of development around the open source community with people taking Snort and doing a project around it,” Roesch said.
Sourcefire is also the lead sponsor behind the open source ClamAV anti-virus project. Sourcefire took over the leadership of ClamAV in 2007.
Sourcefire has since been integrating the technology into commercial offerings as well as continuing to extend and support the open source community. Millions of desktop users today benefit from the ClamAV technology and its related Immunet software for Windows users.
Roesch noted that ClamAV is an interesting project for Sourcefire as it exposes his company to a tremendous amount of malware. That malware educates Sourcefire’s security intelligence and improves overall security efforts.
“We keep the community going and we keep releases coming out and the community is up and running,” Roesch said.
Watch the video interview with Martin Roesch, founder of Sourcefire below: