No subject


Thu Nov 23 16:31:58 EST 2017


He assumed that snort is responsible for some of his issues because
a little while after installing snort "his hub was maxed" and using a sniffer
on the line he was seeing packets with wierd TCP options and 
"syn attacks" as well as portscans.  He was operating under the
mis-assumption that detection facilities also included the ability to transmit
those attacks. I informed Mr Hulick that though snort has facilities for
detecting packets such as SYN packets in its signatures it has no facilities
for the transmission of those packets in that Win32 installer - as the 1.8.2
Win32 build is not even linked with LibnetNT.DLL in the installer, and has the
flexresp feature disabled as a new user precaution.  If the Snort Win32
1.8.2 install generates _ANY_ packets then something is seriously amiss. 
(Note: the 1.8.3 install version to be released shortly _will_ have multiple
options to enable flexresp as well as MySQL and  MSSQL support, because 
I finally figured out the mutliple features part of the [expletives deleted for
professionalism] MSI installer architecture) 

I have checked the md5sums of the package created on my build system
with the ones posted on snort.org, had a quick visual peek through the source
files used to build the binaries and at this time have to assume that nothing
has gone amiss. Bottom line: At this time nothing has been found amiss with the
Win32 Snort 1.8.2 Installer from snort.org, and I assume that we would have
heard much more of a uproar from the user community on that build (which seems
to be quite erm, vocal and responsive whenever we mess something up :-). We'll
be sure to send out some more notification when it is time to panic and
mark any trojaned versions of the software more clearly in the future :-).

I'm just being facetious above, but on a serious note, before I release any
installers for public download, I test them out over here on Win98 and
Win2k, and normally all of the other core snort developers as well Marty test
them out and kick tires a little bit, after which then I usually use a limited
test release out to a slightly wider group to forestall any stupid "dough"
issues or questions from the much larger snort-users audience.  This 
process has already caught a couple of small installer glitches under certain
Win32 OS configurations that I did not have available in my lab before the
release was announced,  so I feel fairly confident that it is working
well. So please rest assured we don't just fire the installs out into
the void untill they've had considerable testing and have been scrutinized
by the core entire core developers and many users. This process is 
now under way for the Win32 Installer for upcoming 1.8.3 release
which was completed recently. 

The Snort dudes (though I should say dudes and dudettes cause we may
have female developers in the future) take security of their systems and
networks very seriously (ranging up to borderline paranoia :-).  And we
seriously investigate any allegations and incidents that could affect this.
I look forward to getting more forensic information from Mr. Hulick, but
pending any further suspicious info, at this time my investigation of this 
issue is concluded. 

cheers,
--dr


On Mon, 19 Nov 2001, Ted Hulick wrote:
> 
> I downloaded your package yesterday...I've been in the industry 22 years and I know what I'm doing...
> I didn't alter the configuration, but since it's been downloaded - I've had to kill my network link 3 times...
> I have a high speed cable line...one of my NT machines has launched numerous attacks across the
> internet..and not even machines I contacted...i.e., incremental IP address and Port...
> .how do I know, I have several tools...including a sniffer...
> 
> I think you should take a look at the Windows version of the download...I've seen enough evidence myself
> to suggest it is seriously tainted by someone...it may not be as easy as testing it, as they have maybe
> programmed to make sure it's not a "home address"....it's no joke.
> 
> Like I said, I'm no rookie...I do analyze networks for a living....I'm deleting this code, and the install...
> and I won't recommend this package to anyone until you can explain what happened.
> 
> Feel free to call me...
> 
>    832-687-5200
>    Ted Hulick
> 
> ps- Unless your code is seriously buggy, you have a/some tainted developers playing games.....
> 





More information about the Snort-devel mailing list