Snort mailing list archives
Snort and SourceFire "Backdoored"
From: <joeypork () hushmail com>
Date: Sun, 21 Sep 2003 08:22:03 -0700
I guess now that we have this incident validated as positively true from the main Snort/SourceFire IT person, it lends a lot of credibility to the Snort/SourceFire "backdoor" rumor. There have been lots of rumors on IRC that a few months ago, some of the PHC guys were able to compromise the snort CVS tree. Instead of creating a traditional backdoor in Snort/SourceFire (simply opening a rootshell on a specific port) they changed a lot of the code to introduce buffer overflows that didnt exist previously, and could be exploited at a later point in time. They changed a lot of the code to include strcpys where there was strncpys and such. This is a lot less noticeable than PHC's other open source security project trojan code inserts, such as the libpcap, dsniff, and sendmail compromises. Brian Caswell has said that Sourcefire did a major code audit after discovering this compromise, which I think is very cool of them. Code audits can be very expensive, and Im sure SourceFire footed the bill. But, the question remains, how long were all of us exposed? And, why did we learn of all this from blackhats releasing a fake phrack, rather than from Snort/SourceFire? I find it high disturbing that this is how the whole incident unfolded, as many Snort team members have ragged on the industry practice of hiding major security incidents in the past. Don't we Snort users have the right to know if our code has been trojaned and Snort/Sourcefire compromised? Maybe not, but the paying customers of SourceFire for sure do. Joey On Sun, 21 Sep 2003 02:08:15 -0700 Brian <bmc () snort org> wrote:
On Sat, Sep 20, 2003 at 10:46:14PM -0700, joeypork () hushmail com wrote:Hey, has anyone else seen this: http://www.phrack.nl/phrack62/p62-0x0d.txt It looks like the PHC folks are at it again, the above is an article on "sneeze", a new script that will generate traffic to triggeron everysnort rule. Also, appended to the end of the article is the home dirs of everyone at Sourcefire/Snort. You can see what is in Marty's directory,etc. Gocheck it out.Yes, this was a LONG time ago. Note that ALL of the date timestamps are dashed out. Gee, I wonder why. As well as normal incident response,
the entire snort team did a major audit of snort at that time for anything injected. BTW, for those of you wanting the original sneeze, its still availableonline at http://snort.sourceforge.net/sneeze-1.0.tar -brian
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and SourceFire "Backdoored" joeypork (Sep 21)
- Re: Snort and SourceFire "Backdoored" Brian (Sep 21)
- Re: Snort and SourceFire "Backdoored" Richard DeYoung (Sep 21)