RE: Snort-Machine = Security Hole?

["Crow, Owen" <Owen_Crow () bmc com>]

<theory> Attacker sends packets designed to exploit a future buffer overflow
in Snort that opens a connection back to attacker's computer.</theory>  In
this case the first two way communication is initiated by your Snort box via
it's admin port back out to the Internet.  Once there's a buffer overflow
and a way back to the Internet, the Snort box is fair game.  

[From this point on, I'm going to substitute "vulnerable system" instead of
"Snort system" since this isn't a Snort-specific problem.]
You mention the main fix for this, though: don't allow your vulnerable
system to connect back to the Internet.  That doesn't protect the other
systems on your management LAN that can be attacked by your now-hostile
vulnerable system.  If you don't keep the vulnerable system quarantined,
then you've got to expect anything it catches to spread.

Basically, I would treat the Snort box the way you would treat any other box
in your DMZ, important but expendable and possibly compromised.

I haven't analyzed the probability of that future exploit.  Snort itself
seems pretty immune in that it does minimal analysis of packet contents, but
some of the preprocessors could open up vulnerabilities if they make
assumptions about packet contents.  For comparison, see these links for
tcpdump exploits/DoS attacts:

"tcpdump AFS ACL Packet Buffer Overflow Vulnerability"
at http://www.securityfocus.com/bid/1870
"Tcpdump Protocol Four and Zero Header Length Vulnerability"
at http://www.securityfocus.com/bid/313
"Multiple Sniffer Vendor DNS Decode Vulnerability"
at http://www.securityfocus.com/bid/1165

The first one is an actual root compromise, the last two are just DoS for
tcpdump.

Of course you could just not worry about it until the first Snort exploit is
posted at 5:01PM on a Friday afternoon :).

Regards,
Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.

-----Original Message-----
From: Daniel Voyer [mailto:daniel.voyer () cgi ca]
Sent: Thursday, July 12, 2001 7:41 AM
To: Thorsten Ziegler
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort-Machine = Security Hole?


Hey ...

I don't catch this one ...

Imagine this scenario:

I put a hub or a switch (with span port) between my firewall and my Internet
router. On this hub I place a snort machine with two nic.
The first nic is directly connected to the switch with *0.0.0.0* ip address.

The second nic is directly connected on a management lan somewhere in my
internal network.

I use first nic (0.0.0.0) to do what an IDS should do, I sniff the network
with some filter....
And I use the second nic to manage my snort box and to receive any alert/log
....

So now, what should be your concern about the security.
How could somebody attack my snort box on the ip address 0.0.0.0 ?

And if it's possible to attack my box (with ip 0.0.0.0), just in case we
should be paranoid .... I can put an access list in my border router to deny
any established connections on my snort box.
And I will still receive any traffic passing throug the switch because I
place my snort box on a span port (that's means I receive any thing than my
switch put in it's buffer).

So, again, how could you attack my snort box ??

- Dan
I really interested to see any mail on this one.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users