Advertisement
 
To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------
Snort vulnerability exposed

By Patrick Gray, 0
March 04, 2003
URL: http://www.zdnet.com.au/news/security/soa/Snort-vulnerability-exposed/0,130061744,120272559,00.htm


The discovery and disclosure of a serious vulnerability in the Sendmail e-mail software by Atlanta based security giant Internet Security Systems (ISS) is starving another vulnerability of the attention it deserves.

ISS have also disclosed a buffer overflow vulnerability in Snort, a widely used open-source Intrusion Detection System.

"Remote attackers may exploit the buffer overflow condition to run arbitrary code on a Snort sensor with the privileges of the Snort IDS process," the advisory said.

Snort is a network based intrusion detection system (IDS) which is used for sniffing data on a network and comparing it to known attack signatures. Snort logs any suspicious activity that it detects, allowing system administrators to respond to attacks or use collected data in forensic applications.

By sending specially formed "fragmented RPC" data across a network monitored by a snort sensor, it is possible to compromise it.

If an attacker can gain access to an IDS they may be able to delete its logs, add false log entries or just shut down the whole system. If the IDS is "switched off" an attacker can be as indiscreet as they want to without setting the alarm bells ringing, which is serious according to Melbourne based security consultant Nathan Macrides.

"Your IDS is supposed to be detecting exploits to vulnerabilities, not being exploited itself," he said.

Under certain conditions, this vulnerability may allow an attacker to gain a foothold in a network by compromising a snort system - however, this can be avoided if the IDS is set up properly.

Macrides says IDS' can be set up so that vulnerabilities in their own software don't render the rest of the network vulnerable to attack, but companies often shy away from the extra cost.

He believes in spending the extra time and money when deploying any IDS "because you just don't know when these things are going to happen".

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.