Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort and SourceFire "Backdoored"

From: <joeypork () hushmail com>
Date: Sun, 21 Sep 2003 08:22:03 -0700
I guess now that we have this incident validated as positively true from
the main Snort/SourceFire IT person, it lends a lot of credibility to
the Snort/SourceFire "backdoor" rumor. 

There have been lots of rumors on IRC that a few months ago, some of
the PHC guys were able to compromise the snort CVS tree. Instead of creating
a traditional backdoor in Snort/SourceFire (simply opening a rootshell
on a specific port) they changed a lot of the code to introduce buffer
overflows that didnt exist previously, and could be exploited at a later
point in time. They changed a lot of the code to include strcpys where
there was strncpys and such. This is a lot less noticeable than PHC's
other open source security project trojan code inserts, such as the libpcap,
 dsniff, and sendmail compromises. 

Brian Caswell has said that Sourcefire did a major code audit after discovering
this compromise, which I think is very cool of them. 
Code audits can be very expensive, and Im sure SourceFire footed the
bill. But, the question remains, how long were all of us exposed? And,
 why did we learn of all this from blackhats releasing a fake phrack,
 rather than from Snort/SourceFire? 

I find it high disturbing that this is how the whole incident unfolded,
 as many Snort team members have ragged on the industry practice of hiding
major security incidents in the past. Don't we Snort users have the right
to know if our code has been trojaned and Snort/Sourcefire compromised?
Maybe not, but the paying customers of SourceFire for sure do. 

Joey 



On Sun, 21 Sep 2003 02:08:15 -0700 Brian <bmc () snort org> wrote:

On Sat, Sep 20, 2003 at 10:46:14PM -0700, joeypork () hushmail com wrote:

Hey, has anyone else seen this:

http://www.phrack.nl/phrack62/p62-0x0d.txt

It looks like the PHC folks are at it again, the above is an article
on "sneeze", a new script that will generate traffic to trigger

on every

snort rule. 

Also, appended to the end of the article is the home dirs of everyone
at Sourcefire/Snort. You can see what is in Marty's directory,

etc. Go

check it out. 


Yes, this was a LONG time ago.  Note that ALL of the date timestamps
are 
dashed out.  Gee, I wonder why.  As well as normal incident response,





the entire snort team did a major audit of snort at that time for
anything 
injected.

BTW, for those of you wanting the original sneeze, its still available



online at http://snort.sourceforge.net/sneeze-1.0.tar 

-brian






Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: