[Snort-users] Can snort suffer from buffer overflows like tcpdump did?

Fyodor fygrave at ...121...
Fri Mar 2 06:52:47 EST 2001


On Thu, Mar 01, 2001 at 10:27:06AM +1300, Jason Haar wrote:
> Says it all really. Such nasty events have hit several sniffers in the past
> year, so I'm wondering how susceptible snort is to them. 
> 
> [BugTraq reported yesterday that W2K EventViewer can suffer from overflow
> attacks by viewing eventlogs! Where will it end...]
> 
> I mean, "bad packets" could potentially cause snort itself to run exploit
> code (such as that tcpdump bug last year), and valid crafted packets could
> cause snort to log (via file, syslog, SQL, XML, - the list gets ever bigger)
> data that could contain escape chars for instance - potentially causing
> problems under particular logging schemes.

Well, we are trying the best to avoid this kind of errors in our code, but if you found one (or more?:)) holes
in our code we'd be more than happy to fix and give you credit. :)

That's also the reason why we provide chroot and chuid/chgig features in snort, in case
if we really missed something, you still can run snort safely enough so maximum attacker
would be able  to get is rm'ing/modifying your snortlogs, or something (still you can
configure this stuff safely enough too, via linux 'append-only' flags f.e.)
 




More information about the Snort-users mailing list