[Snort-devel] Re: Snort SNMP

Glenn Mansfield Keeni glenn at ...1085...
Sat May 31 02:59:05 EDT 2003


Chris,
      I got the point. Will do a check on the code and get rid
of the doubtful constructs (sprintf, strcpy, .... ).

      Thanks and Cheers

            Glenn

Chris Green wrote:
> Glenn Mansfield Keeni <glenn at ...1085...> writes:
> 
> 
>>Hi,
>>   I guess that Marty and/or someone from the core group of snort-developers
>>would be in a better position to answer that question.
>>   My reading is that - since SnortSnmp uses the SNMP libraries - it
>>cannot be independently security-audited (without carrying out an audit
>>of the net-snmp code). The current move in Snort is to retain code in core
>>only if it is security-audited/auditable.
> 
> 
> The code flow in the original had several string manipulation
> operations that were not auditable in the amount of time we had to get
> 2.0.x out the door.
> 
>     if(otn_tmp)
>     {
>         class_ptr = otn_tmp->sigInfo.classType; 
>     }
>     if (class_ptr )
>     {
>         Value = class_ptr->priority;
>         sprintf (ValString, "%ld", Value);
>     }
>     else if (!SnmpData->compact)
>     {
>         Value = -1;     /* unknown */ 
>         sprintf (ValString, "%ld", Value);
>     }
>     else 
>     {
>         ValString[0] = 0;
>     }
> 
> Grabbing the events and parsing them out for the SNMP library calls
> seemed to be too interelated to have any confidence that there's not a
> bad sprintf or strcpy.  That doesn't mean there's an known issue
> there, just that we didn't have confidence there wasn't.








More information about the Snort-devel mailing list