Full Disclosure mailing list archives
Re: [Snort-users] Snort and SourceFire "Backdoored"
From: Richard DeYoung <webmaster () verticept com>
Date: 21 Sep 2003 23:23:27 -0400
Now for a somewhat different perspective on the whole thing....
I guess now that we have this incident validated as positively true from the main Snort/SourceFire IT person, it lends a lot of credibility to the Snort/SourceFire "backdoor" rumor.
Hmmm. So, "guess"+"validated"+"positively true"(vs "mostly true") == "credible" ???
There have been lots of rumors on IRC that a few months ago, some of the PHC guys were able to compromise the snort CVS tree. Instead of creating a traditional backdoor in Snort/SourceFire (simply opening a rootshell on a specific port) they changed a lot of the code to introduce buffer overflows that didnt exist previously, and could be exploited at a later point in time. They changed a lot of the code to include strcpys where there was strncpys and such. This is a lot less noticeable than PHC's other open source security project trojan code inserts, such as the libpcap, dsniff, and sendmail compromises.
Given the fact that you heard the rumors of massive injections of strcpy() into the main Snort CVS repository on an IRC channel and not published to the community at large, what other sources do you cite in order to arrive at your decision that this is a "credible" incident??
Brian Caswell has said that Sourcefire did a major code audit after discovering this compromise, which I think is very cool of them. Code audits can be very expensive, and Im sure SourceFire footed the bill.
Code audit after a system compromise; a prudent and effective way of maintaining code integrity.
But, the question remains, how long were all of us exposed?
Exposed?? You still haven't demonstrated that the "rumors" you heard were, in fact, more than just rumors.
And, why did we learn of all this from blackhats releasing a fake phrack, rather than from Snort/SourceFire?
Again, what did we supposedly learn from some bh's releasing a fake phrack? I believe they've succeded in demonstrating how quickly some people claiming to be "in the IDS discipline" can be made to jump to conclusions at the drop of a few "catch phrases" or half-truths.
I find it high disturbing that this is how the whole incident unfolded, as many Snort team members have ragged on the industry practice of hiding major security incidents in the past. Don't we Snort users have the right to know if our code has been trojaned and Snort/Sourcefire compromised?
Yes, you do. That's why you download it in source code format, and not in pre-compiled binaries such as those released by other companies "in the industry". IDS is only the leading-edge (topologically speaking) technical representation of a company's policy/process structure. As has been said repeatedly, where you go from there is up to you.
Maybe not, but the paying customers of SourceFire for sure do. Joey
Gee, it must suck to be the target of a Social engineering hack, eh ??? -- --Rick[at]Verticept
Current thread:
- Re: Snort and SourceFire "Backdoored" joeypork (Sep 21)
- Snort not backdoored, Sourcefire not compromised Martin Roesch (Sep 21)
- RE: Snort not backdoored, Sourcefire not compromised Exibar (Sep 22)
- RE: Snort not backdoored, Sourcefire not compromised Daniele Muscetta (Sep 22)
- Message not available
- Re: [Snort-users] RE: Snort not backdoored, Sourcefire not compromised Daniele Muscetta (Sep 22)
- RE: Snort not backdoored, Sourcefire not compromised Exibar (Sep 22)
- Snort not backdoored, Sourcefire not compromised Martin Roesch (Sep 21)
- Re: Snort not backdoored, Sourcefire not compromised Andreas Marx (Sep 22)
- <Possible follow-ups>
- Snort and SourceFire "Backdoored" joeypork (Sep 21)
- Re: Snort and SourceFire "Backdoored" Brian (Sep 21)
- Re: [Snort-users] Re: Snort and SourceFire "Backdoored" Peteris Krumins (Sep 21)
- Re: [Snort-users] Snort and SourceFire "Backdoored" Richard DeYoung (Sep 22)
- Re: Snort and SourceFire "Backdoored" Brian (Sep 21)
- Re: Snort and SourceFire "Backdoored" whatthefukever (Sep 22)