January 31, 2002

Intrusion software maker snorts at security alert

Author: JT Smith

Anonymous Reader writes: "The developer of Snort, a popular open-source intrusion detection system (IDS), downplayed reports of a security flaw that could enable attackers to disable the software. According to an alert released Monday by Internet Security Systems (ISS), Snort versions 1.8.3 and earlier are susceptible to a denial of service attack.""If launched successfully against a Snort-protected network, all IDS functionality may be disabled until Snort is manually restarted," said ISS in its alert.

ISS, which markets a commercial IDS product named RealSecure, stated that Snort's default configuration does not have the ability to restart when it crashes and requires a separate script or process monitor for such functionality.

The flaw in Snort was originally reported by a user named Sinbad Jan. 10 on the Bugtraq security mailing list, along with instructions on how to cause the software to crash and exit.

Martin Roesch, Snort's developer, was not immediately available for comment.

A message posted Monday by Roesch to a mailing list for Snort users noted that the denial of service attack is only successful on Linux-based Snort installations that have a feature called ASCII payload dump enabled.

"I think someone at ISS is putting together some marketing (fear, uncertainty, and doubt)," wrote Roesch, who also pointed out that instructions on how to patch the program were posted to both the Bugtraq and Snort lists on Jan. 10.

After one Snort user responded that the software's download site contained no mention of the security vulnerability, a message was posted today on the front page of http://www.snort.org with a link to the Bugtraq post.

According to the Snort Web site, Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. The software is available for Unix, Macintosh, and Windows platforms.

The Snort site is at http://www.snort.org .
The Bugtraq report is at http://www.securityfocus.com/archive/1/249340 .
The ISS alert is online at http://xforce.iss.net/static/7874.php .

Article by www.linux-box.org"

Category:

  • Linux
Click Here!