[ISN] Intrusion Software Maker Snorts At Security Alert

From: InfoSec News (isnat_private)
Date: Wed Jan 30 2002 - 01:41:12 PST

Next message: InfoSec News: "[ISN] New Wireless List"

Previous message: InfoSec News: "[ISN] Bills aim at raising infosec expertise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.newsbytes.com/news/02/174038.html

By Brian McWilliams, Newsbytes
ELDERSBURG, MARYLAND, U.S.A.,
29 Jan 2002, 2:11 PM CST
 
The developer of Snort, a popular open-source intrusion detection
system (IDS), downplayed reports of a security flaw that could enable
attackers to disable the software.

According to an alert released Monday by Internet Security Systems
(ISS), Snort versions 1.8.3 and earlier are susceptible to a denial of
service attack.
 
"If launched successfully against a Snort-protected network, all IDS
functionality may be disabled until Snort is manually restarted," said
ISS in its alert.

ISS, which markets a commercial IDS product named RealSecure, stated
that Snort's default configuration does not have the ability to
restart when it crashes and requires a separate script or process
monitor for such functionality.

The flaw in Snort was originally reported by a user named Sinbad Jan.  
10 on the Bugtraq security mailing list, along with instructions on
how to cause the software to crash and exit.

Martin Roesch, Snort's developer, was not immediately available for
comment.

A message posted Monday by Roesch to a mailing list for Snort users
noted that the denial of service attack is only successful on
Linux-based Snort installations that have a feature called ASCII
payload dump enabled.

"I think someone at ISS is putting together some marketing (fear,
uncertainty, and doubt)," wrote Roesch, who also pointed out that
instructions on how to patch the program were posted to both the
Bugtraq and Snort lists on Jan. 10.

After one Snort user responded that the software's download site
contained no mention of the security vulnerability, a message was
posted today on the front page of http://www.snort.org with a link to
the Bugtraq post.

According to the Snort Web site, Snort is a lightweight network
intrusion detection system, capable of performing real-time traffic
analysis and packet logging on IP networks. The software is available
for Unix, Macintosh, and Windows platforms.

The Snort site is at http://www.snort.org

The Bugtraq report is at http://www.securityfocus.com/archive/1/249340

The ISS alert is online at http://xforce.iss.net/static/7874.php



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "[ISN] New Wireless List"
Previous message: InfoSec News: "[ISN] Bills aim at raising infosec expertise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 05:19:43 PST