Snort freeware takes commercial path

SAN JOSE - Snort may be a funny name for an intrusion-detection system, but for the last three years that hasn't stopped hundreds of companies from downloading this Linux-based freeware tool to detect and block hackers and computer worms.

Now the creator of Snort, Martin Roesch, is taking his freeware commercial with a start-up named Sourcefire and its first product. OpenSnort Sensor, a hardware/software appliance and management console starting at $10,000, will be released next week. Whether Roesch can translate his freeware success into a business will be closely watched. His effort harkens back to when independent-minded software engineers tinkered in the garage long before going corporate.

"I just moved this business out of my living room and into an office in Columbia, Md.," says Roesch, who met with Network World at last week's RSA Security conference to discuss his venture. So far, Sourcefire has raised about $2 million in funding.

Roesch has had stints over the past five years in the Washington, D.C., area at Stanford Telecommunications, GTE Internetworking and as a contractor on National Security Agency projects. He started Snort in 1998 "as a toy I was playing with," he says.

"Snort was a sniffer at first, and I felt the impetus to write the detection engine to classify the traffic it saw," Roesch says. As a signature-based IDS, new code constantly has to be written to update it with the "signatures" to spot new types of attacks. A community of freeware enthusiasts collected around www.snort.org to provide input for those signatures. Brian Caswell, a software analyst at Mitre, contributed many signatures and edited many more. Snort freeware now maintains a library of 1,600 signatures.

One believer in Roesch and Snort is Steven Northcutt, education director at SANS Institute and formerly a security manager with the U.S. Navy, who invested $100,000 to get Sourcefire up and running.

Sourcefire is still small, with five employees, but expects to grow soon to nine. It has no vice president of sales.

Some competitors can only snort.

"I don't see them as a threat," says Marcus Ranum, founder and CTO of perhaps the oldest IDS firm, NFR Security. "Marty is a good technologist and a great guy." But he adds, "The Snort project is an amateurish effort" and he doubts if Roesch's expansion plans are realistic.

But that hasn't stopped Roesch from selling OpenSnort Sensor out of his living room.

"We've had really large companies here from Japan to buy it," Roesch says, claiming to have recently sold about four dozen OpenSnort appliances. "We've done $500,000 in sales to Fortune 500 companies in my living room."

A few of the hundreds of companies that liked Snort freeware are electing to become paying customers. These include PricewaterhouseCoopers, Cognos, U.S. Central Federal Credit Union, Univest and Mt. Sinai Medical Center.

Ken Redman, security administrator at Mt. Sinai Medical Center in New York, says the Snort freeware is appealing because the manager can set up to 1,600 rules for detecting and blocking suspicious traffic at the gateway to the Internet.

"That's more than a lot of the commercial IDS firms," he says, noting Cisco's IDS only has about 600 rule sets. "I go to the Snort Web site to check rule sets a lot."

Redman purchased the commercial version of Snort to gain the management console and the support service. Sourcefire engineer John Pavlik responds within minutes to questions, he says.

Redman says he picks freeware based on its features, not because it doesn't cost anything. And he remains an enthusiastic user of other security freeware tools such as Nmap, Nessus and ndtscan that are used for a variety of vulnerability-assessment tasks. (These tools are also used for nefarious purposes by hackers.)

Whether Snort freeware will be the seed for a viable business at Sourcefire is unknown, but Roesch already has ambitious plans for a second version of OpenSnort. The second version would work under a distributed model to aggregate information received across multiple OpenSnort sensors and produce a wider security view from a single console. In addition, Sourcefire also wants to build host-based IDS for servers.

Whether this constitutes over-reaching on a limited budget is hard to say, but one thing is clear: If only as freeware, Snort is a presence other IDS vendors can't ignore. Recourse Technologies acknowledged the prevalence of Snort last week when it announced that its IDS, called ManHunt, will be able to process security events by IDS equipment from Cisco, Enterasys, Internet Security Systems - and Snort.

PROFILE:SOURCEFIRE “We've done $500,000 in sales to Fortune 500 companies in my living room.” Martin Roesch Founder and CEO, Sourcefire Location: Columbia, Md. Founded: January 2001 Product: OpenSnort Sensor intrusion- detection system. Founder: Martin Roesch, CEO Financing: $2 million from Inflection Point, State of Maryland and angel investors. Employees: 5 Fun fact: The new company just moved from the Roesch family house in Eldersburg, Md.