[Snort-users] Can snort suffer from buffer overflows like tcpdump did?

Martin Roesch roesch at ...421...
Fri Mar 2 01:41:25 EST 2001


Can it?  Sure, anything is possible.  I take great pains to avoid these
sorts of things, but anything is possible.  AFAIK, Snort is currently
overflow free once it's up and running (I won't speak to the rules
parser being 100% overflow free, but you have to be root to run it). 
The main data path for the system is pretty smooth, there isn't a lot of
data being copied around, etc.  We don't do name lookups, we don't
really interact with the system very much, etc.  Running Snort chroot'd
and with setuid/gid is smart from a pure security standpoint, but as a
point of reference I'm comfortable running it without those options on
my home rig.  

Being the author of the system perhaps gives me a certain perspective on
it, but I think that it's secure from buffer overflows.  Now, watch the
world prove me wrong... :)

    -Marty

Jason Haar wrote:
> 
> Says it all really. Such nasty events have hit several sniffers in the past
> year, so I'm wondering how susceptible snort is to them.
> 
> [BugTraq reported yesterday that W2K EventViewer can suffer from overflow
> attacks by viewing eventlogs! Where will it end...]
> 
> I mean, "bad packets" could potentially cause snort itself to run exploit
> code (such as that tcpdump bug last year), and valid crafted packets could
> cause snort to log (via file, syslog, SQL, XML, - the list gets ever bigger)
> data that could contain escape chars for instance - potentially causing
> problems under particular logging schemes.
> 
> As a safety measure, if I ran snort chroot'ed as a non-root account, what
> would a snort exploit gain the hacker? If they end up dumping opcodes
> on the snort server, running as usercode "snort", under a chrooted
> directory, they wouldn't be capable of much anyway, would they?
> 
> --
> Cheers
> 
> Jason Haar
> 
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list