Open Source Blog

Roesch founded Sourcefire after developing the open source intrusion detection/prevention tool, Snort. He founded Sourcefire in 2001, literally running the firm from his living room for a year, and later raising $55m in VC funding to kick-start the firm's development. It raised around $86m in its IPO in March 2007.

Barracuda made its offer on May 30, putting $7.50 per share in cash on the table -- a 13% premium above the company's May 23 closing price. It also represented a 16% premium over the average trading stock price during the past 60 trading days.

But Sourcefire turned the offer down, saying it undervalued the company.

"I have to be careful what I say about [the offer and its rejection], because I am also on the board," Roesch told me. "OK, personally, I don't think the timing is right to sell Sourcefire. We're bullish about our prospects; we have a lot of good people. We're hiring a new CEO and we have tons of potential. I'm not feeling like we should throw in the towel."

What about the firm's financial health: it has plenty of cash in the bank after its IPO but it is yet to hit profitability. "We did $55.9m in revenue last year and the current First Call analyst consensus estimate for FY08 is $66M," Roesch told me. "We've been flirting with profitability - we've been on the cusp of profitability and we are generating cash, but we have seasonality in our business model and revenue model - historically, approximately 35% of our revenue has come in our fourth quarter the last five years. We've also been investing to be compliant with Sarbanes Oxley of course."

Away from the firm's finances, it's still clearly got a technology portfolio to invest in, not least its flagship, the open source Snort product. Roesch said the firm is about to release the beta of version 3 of Snort - so what's new in the latest version?

"We have been working on a ground-up rewrite of Snort," said Roesch. Isn't that rather risky though (it took Netscape eight years when it decided on a rewrite of its browser, during which time it let Microsoft in with IE)? "Sure if you Google the entire rewriting of your code you'll find it's generally considered a very bad idea," said Roesch. "But I think you can do it if you ruthlessly control the feature set and leverage existing code wherever possible, and not just in the code base itself but in the libraries that are used too."

But why the rewrite? "There were several big things," Roesch said. "I have more horsepower on my iPhone than some PCs used to have, and you can't buy a laptop without multiple cores these days. Snort is a processing pipeline, so how do you adapt that for multi-cores? You have to split it up and then load-balance across the cores but it's very complex. We really needed a multi-threaded engine in the code base, and without rewriting it that would have been a nightmare: not just writing it but testing it all."

"Secondly I want Snort to run continuously," said Roesch, "to run without having to shut it down, ever. Customers need to be able to swap in a new configuration and interact with it as it is running, not have to take it down to make configuration changes."

"So we decided to build a whole new code base using good solid software engineering processes to do this," Roesch said. "Multi-threaded, able to handle IPv6 natively, and much easier to add hardware acceleration where it makes sense. There are hooks in the new engine so you can add hardware acceleration in there where you need it. Customers are inspecting five to ten million packets a second, so it's good to put some of this into hardware."

Snort 3 will beta towards the end of this month, Roesch said, and it has been broken down into two pieces: the Snort Detection Engine and the Snort Security Platform, which handles things like output generation.

As for how Sourcefire differentiates itself from the IPS/IDS competition, which includes the likes of McAfee, TippingPoint, Cisco et al, Roesch said the biggest thing is Sourcefire's real-time network awareness technology: "We're better at rejecting false positives, and we give customers less data than competitors which means they have less to analyse. We leverage our awareness technology very, very heavily."

As for what Sourcefire is adding to Snort or bolting onto Snort that it will be able to sell as a commercial product, Roesch said the firm is adding Policy Enforcement Point to future versions to handle more sophisticated policy management, though that probably won't be available until next year.