[Snort-devel] Re: Snort SNMP

Chris Green cmg at ...402...
Wed May 28 05:52:02 EDT 2003


Glenn Mansfield Keeni <glenn at ...1085...> writes:

> Hi,
>    I guess that Marty and/or someone from the core group of snort-developers
> would be in a better position to answer that question.
>    My reading is that - since SnortSnmp uses the SNMP libraries - it
> cannot be independently security-audited (without carrying out an audit
> of the net-snmp code). The current move in Snort is to retain code in core
> only if it is security-audited/auditable.

The code flow in the original had several string manipulation
operations that were not auditable in the amount of time we had to get
2.0.x out the door.

    if(otn_tmp)
    {
        class_ptr = otn_tmp->sigInfo.classType; 
    }
    if (class_ptr )
    {
        Value = class_ptr->priority;
        sprintf (ValString, "%ld", Value);
    }
    else if (!SnmpData->compact)
    {
        Value = -1;     /* unknown */ 
        sprintf (ValString, "%ld", Value);
    }
    else 
    {
        ValString[0] = 0;
    }

Grabbing the events and parsing them out for the SNMP library calls
seemed to be too interelated to have any confidence that there's not a
bad sprintf or strcpy.  That doesn't mean there's an known issue
there, just that we didn't have confidence there wasn't.
-- 
Chris Green <cmg at ...402...>
"Yeah, but you're taking the universe out of context."




More information about the Snort-devel mailing list