Snort survives first vulnerability

Snort, the immensely popular open-source intrusion-detection system, is no longer confined to cult status. Since going commercial in 2001 with the formation of Columbia, Md.-based Sourcefire Inc., Snort has extended its reach into enterprises and deep into the federal government. Lauded for its stability, Sourcefire had its first million-dollar quarter in the fourth quarter of 2002, has grown revenues 1,000% since 2001, and has more than doubled its staff since early 2002.

Late in February, however, Snort had its first hiccup. A serious vulnerability was discovered by rival Internet Security Systems Inc. in Snort's remote procedure call (RPC) normalization preprocessor, which is used in the Sourcefire Network Sensor product line. The buffer overflow vulnerability could allow an attacker to create a denial-of-service condition or execute code by crafting specific RPC packets and sending them over a segment of a network that is monitored by a vulnerable Sourcefire sensor.

Sourcefire CEO Wayne Jackson provides SearchSecurity.com with the details on how Sourcefire and ISS joined forces, along with the FBI's National Infrastructure Protection Center (NIPC), to mitigate the flaw, patch sensitive government systems and issue a patch to users before details had the chance to fall into the wrong hands.

Is this the first reported vulnerability in Snort?
This is only vulnerability in Snort ever that I'm aware of. Hackers and the technology they use to exploit vulnerabilities are so sophisticated, it was nearly inevitable.

We're not thrilled about it. We are re-doubling our efforts to secure our code base. We are dedicating internal resources and bringing in external resources to go through our code to make sure there are no others. Was the vulnerability discovered in the open-source or commercial version of Snort?
The vulnerability was discovered in the open-source version of Snort. That part of the code, however, is used in both the open source and commercial. How severe is an RPC normalization preprocessor buffer overflow?
This is as severe as a vulnerability gets. Properly crafted, one could take over the machine by taking advantage of a buffer overflow. An attacker could write their own instructions onto a device. It's easy to mitigate and exploit. Can you take us through the first few days after Sourcefire learned of the vulnerability?
We learned about it the evening of Feb. 20. Internet Security Systems discovered it. They recognized how pervasive Snort is and it led them to take a back seat to us in addressing the vulnerability and releasing the information to the public. We worked together to form a disclosure strategy. We put the elements together to mitigate the vulnerability, including the patch, so that at the start of business on Monday March 3, we were ready with everything needed to remediate.

Snort is used heavily in the (U.S.) government. We concluded that we should include NIPC in the initial disclosure and let them guide us on the disclosure strategy (on Feb. 27). They used the subsequent week to mitigate and patch anything. Last Monday (March 3), we made the disclosure to our customers and the public. The Snort community is a loyal following. What has the community's reaction been to the first vulnerability?
I've heard few complaints. The ones that I have heard are mainly from those who are upset that we did not let everyone know at the same time. I don't think, however, that would have been appropriate or prudent. People were surprised how prepared for this we were. With NIPC's involvement, you got a firsthand look at how the Department of Homeland Security handles vulnerabilities and the sharing and dissemination of information. What's your first impression of that process?
I was quite impressed to tell the truth. Everyone understood the potential ramifications of an exploit. I was impressed how quickly and thoroughly it was remediated within the government. Snort is very pervasive in government. It's found in some of the country's most sensitive systems and networks. The vulnerability was both mitigated and software was patched within the government without leaking information to the public. It was important given the sensitive nature of the information to keep it secure and given the risk that word would leak and hackers would get it first and launch an attack was.

This kind of vulnerability, if not dealt with in the proper way, could represent a worst-case scenario. This was blueprint for how these things could be dealt with in the future. There was generous corporate support. Thoughtful people prepared the mitigation strategy and the fixes were rolled out in a thoughtful way in a classified context within the government. It worked as well as I can imagine. Were you hesitant about the initial reports considering one of your biggest rivals in the IDS space discovered the vulnerability?
It occurred to us that ISS could use this to market benefit, partly because they are a public company. There was a lot at stake here and some one at ISS understood how crucial this could be for critical systems and infrastructure in the U.S. My compliments to them.


FOR MORE INFORMATION:

SearchSecurity.com news exclusive: "Commercial grade of Snort arrives"

Best Web Links on intrusion detection

SearchSecurity.com news exclusive: "Network security monitoring is more than IDS"

Pose your questions about Snort to SearchSecurity.com network security expert Ed Skoudis

This process speaks well for the open-source community and the full-disclosure movement?
It speaks to the mindset of the open-source community as opposed to the closed-source. Their strategy is to hide vulnerabilities and prevent exploits that way. We believe in exposing serious vulnerabilities for the community to deal with and in the end we have secure products.
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close