[ISN] Intrusion Software Maker Snorts At Security Alert

From: InfoSec News (isnat_private)
Date: Wed Jan 30 2002 - 01:41:12 PST

  • Next message: InfoSec News: "[ISN] New Wireless List"

    http://www.newsbytes.com/news/02/174038.html
    
    By Brian McWilliams, Newsbytes
    ELDERSBURG, MARYLAND, U.S.A.,
    29 Jan 2002, 2:11 PM CST
     
    The developer of Snort, a popular open-source intrusion detection
    system (IDS), downplayed reports of a security flaw that could enable
    attackers to disable the software.
    
    According to an alert released Monday by Internet Security Systems
    (ISS), Snort versions 1.8.3 and earlier are susceptible to a denial of
    service attack.
     
    "If launched successfully against a Snort-protected network, all IDS
    functionality may be disabled until Snort is manually restarted," said
    ISS in its alert.
    
    ISS, which markets a commercial IDS product named RealSecure, stated
    that Snort's default configuration does not have the ability to
    restart when it crashes and requires a separate script or process
    monitor for such functionality.
    
    The flaw in Snort was originally reported by a user named Sinbad Jan.  
    10 on the Bugtraq security mailing list, along with instructions on
    how to cause the software to crash and exit.
    
    Martin Roesch, Snort's developer, was not immediately available for
    comment.
    
    A message posted Monday by Roesch to a mailing list for Snort users
    noted that the denial of service attack is only successful on
    Linux-based Snort installations that have a feature called ASCII
    payload dump enabled.
    
    "I think someone at ISS is putting together some marketing (fear,
    uncertainty, and doubt)," wrote Roesch, who also pointed out that
    instructions on how to patch the program were posted to both the
    Bugtraq and Snort lists on Jan. 10.
    
    After one Snort user responded that the software's download site
    contained no mention of the security vulnerability, a message was
    posted today on the front page of http://www.snort.org with a link to
    the Bugtraq post.
    
    According to the Snort Web site, Snort is a lightweight network
    intrusion detection system, capable of performing real-time traffic
    analysis and packet logging on IP networks. The software is available
    for Unix, Macintosh, and Windows platforms.
    
    The Snort site is at http://www.snort.org
    
    The Bugtraq report is at http://www.securityfocus.com/archive/1/249340
    
    The ISS alert is online at http://xforce.iss.net/static/7874.php
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 05:19:43 PST