[Snort-users] Cert Advisory and now no SNMP traps.

Kevin J. Schmidt kschmidt at ...468...
Thu Apr 17 12:02:08 EDT 2003


It would be great if someone from the Snort dev team and/or Sourcefire
would comment on when (or should I say if) SNMP will be re-added to
Snort. 

It also appears that XML was removed, too.

On Thu, 2003-04-17 at 14:44, larosa, vjay wrote:
> Well I have to say this sucks. Now those of us that rely on SNMP traps
> are forced to upgrade to snort 2.0 and will lose our NMS integrations.
> 
> Anyway, I am going to write a program to select events of interest from
> A Mysql database and will send SNMP traps to the NMS on behalf of snort.
> I will post to the list in the next week or so when it is done. I will give
> the perl Code to anybody who is interested in it.
> 
> vjl
> 
> -----Original Message-----
> From: James-lists [mailto:hackerwacker at ...3784...] 
> Sent: Thursday, April 17, 2003 1:50 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Fw: CERT Advisory CA-2003-13 Multiple Vulnerabilities
> in Snort Preprocessors
> 
> 
> ----- Original Message ----- 
> From: "CERT Advisory" <cert-advisory at ...241...>
> To: <cert-advisory at ...241...>
> Sent: Thursday, April 17, 2003 9:29 AM
> Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort
> Preprocessors
> 
> 
> : 
> : 
> : -----BEGIN PGP SIGNED MESSAGE-----
> : 
> : CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors
> : 
> :    Original release date: April 17, 2003
> :    Last revised: --
> :    Source: CERT/CC
> : 
> :    A complete revision history can be found at the end of this file.
> : 
> : Systems Affected
> : 
> :      * Snort IDS, versions 1.8 through 2.0 RC1
> : 
> : Overview
> : 
> :    There are two vulnerabilities in the Snort Intrusion Detection System,
> :    each  in  a  separate  preprocessor module. Both vulnerabilities allow
> :    remote  attackers to execute arbitrary code with the privileges of the
> :    user running Snort, typically root.
> : 
> : I. Description
> : 
> :    The   Snort  intrusion  detection  system  ships  with  a  variety  of
> :    preprocessor  modules  that  allow  the  user  to  selectively include
> :    additional    functionality.    Researchers   from   two   independent
> :    organizations have discovered vulnerabilities in two of these modules,
> :    the  RPC  preprocessor  and  the  "stream4"  TCP  fragment  reassembly
> :    preprocessor.
> : 
> :    For additional information regarding Snort, please see
> :    
> :      http://www.snort.org/.
> : 
> :    VU#139129 - Heap overflow in Snort "stream4" preprocessor
> (CAN-2003-0029)
> : 
> :    Researchers  at  CORE Security Technologies have discovered a remotely
> :    exploitable  heap overflow in the Snort "stream4" preprocessor module.
> :    This  module  allows  Snort  to  reassemble  TCP  packet fragments for
> :    further analysis.
> : 
> :    To  exploit  this  vulnerability,  an  attacker must disrupt the state
> :    tracking  mechanism  of the preprocessor module by sending a series of
> :    packets  with  crafted  sequence  numbers.  This  causes the module to
> :    bypass a check for buffer overflow attempts and allows the attacker to
> :    insert arbitrary code into the heap.
> : 
> :    For additional information, please read the Core Security Technologies
> :    Advisory located at
> : 
> :      http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
> : 
> :    This  vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior
> :    to  RC1. Snort has published an advisory regarding this vulnerability;
> :    it is available at
> : 
> :      http://www.snort.org/advisories/snort-2003-04-16-1.txt.
> : 
> :    VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033)
> : 
> :    Researchers  at  Internet  Security  Systems  (ISS)  have discovered a
> :    remotely  exploitable  buffer  overflow  in the Snort RPC preprocessor
> :    module.  Martin  Roesch,  primary  developer  for Snort, described the
> :    vulnerability as follows:
> : 
> :      When the RPC decoder normalizes fragmented RPC records, it
> :      incorrectly checks the lengths of what is being normalized against
> :      the current packet size, leading to an overflow condition. The RPC
> :      preprocessor is enabled by default.
> : 
> :    For  additional  information,  please  read  the  ISS X-Force advisory
> :    located at
> : 
> :      http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951
> : 
> :    This  vulnerability  affects  Snort  versions  1.8.x through 1.9.1 and
> :    version 2.0 Beta.
> : 
> : II. Impact
> : 
> :    Both  VU#139129  and  VU#916785  allow  remote  attackers  to  execute
> :    arbitrary  code  with  the  privileges  of  the  user  running  Snort,
> :    typically  root.  In addition, it is not necessary for the attacker to
> :    know  the  IP  address of the Snort device they wish to attack; merely
> :    sending  malicious  traffic  where  it  can be observed by an affected
> :    Snort sensor is sufficient to exploit these vulnerabilities.
> : 
> : III. Solution
> : 
> : Upgrade to Snort 2.0
> : 
> :    Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which
> :    is available at
> : 
> :      http://www.snort.org/dl/snort-2.0.0.tar.gz
> : 
> :    Binary-only versions of Snort are available from
> : 
> :      http://www.snort.org/dl/binaries
> : 
> :    For  information  from  other  vendors  that ship affected versions of
> :    Snort, please see Appendix A of this document.
> : 
> : Disable affected preprocessor modules
> : 
> :    Sites  that  are  unable to immediately upgrade affected Snort sensors
> :    may  prevent  exploitation of this vulnerability by commenting out the
> :    affected preprocessor modules in the "snort.conf" configuration file.
> : 
> :    To prevent exploitation of VU#139129, comment out the following line:
> : 
> :      preprocessor stream4_reassemble
> : 
> :    To prevent exploitation of VU#916785, comment out the following line:
> : 
> :      preprocessor rpc_decode: 111 32771
> : 
> :    After commenting out the affected modules, send a SIGHUP signal to the
> :    affected   Snort  process  to  update  the  configuration.  Note  that
> :    disabling these modules may have adverse affects on a sensor's ability
> :    to correctly process RPC record fragments and TCP packet fragments. In
> :    particular,  disabling  the "stream4" preprocessor module will prevent
> :    the Snort sensor from detecting a variety of IDS evasion attacks.
> : 
> : Block outbound packets from Snort IDS systems
> : 
> :    You  may  be  able  limit  an attacker's capabilities if the system is
> :    compromised  by  blocking  all outbound traffic from the Snort sensor.
> :    While   this   workaround   will   not  prevent  exploitation  of  the
> :    vulnerability,  it  may  make  it  more  difficult for the attacker to
> :    create a useful exploit.
> : 
> : Appendix A. - Vendor Information
> : 
> :    This  appendix  contains  information  provided  by  vendors  for this
> :    advisory.  As  vendors  report new information to the CERT/CC, we will
> :    update this section and note the changes in our revision history. If a
> :    particular  vendor  is  not  listed  below, we have not received their
> :    comments.
> : 
> : Apple Computer, Inc.
> : 
> :    Snort is not shipped with Mac OS X or Mac OS X Server.
> : 
> : Ingrian Networks
> : 
> :    Ingrian  Networks  products  are  not  susceptible  to  VU#139129  and
> :    VU#916785 since they do not use Snort.
> : 
> :    Ingrian  customers  who  are  using the IDS Extender Service Engine to
> :    mirror  cleartext  data  to a Snort-based IDS should upgrade their IDS
> :    software.
> : 
> : NetBSD
> : 
> :    NetBSD does not include snort in the base system.
> : 
> :    Snort  is  available from the 3rd party software system, pkgsrc. Users
> :    who  have  installed  net/snort,  net/snort-mysql  or  net/snort-pgsql
> :    should  update  to a fixed version. pkgsrc/security/audit-packages can
> :    be used to keep up to date with these types of issues.
> : 
> : Red Hat Inc.
> : 
> :    Not  vulnerable.  Red  Hat does not ship Snort in any of our supported
> :    products.
> : 
> : SGI
> : 
> :    SGI does not ship snort as part of IRIX.
> : 
> : Snort
> : 
> :    Snort  2.0 has undergone an external third party professional security
> :    audit funded by Sourcefire.
> :      _________________________________________________________________
> : 
> :    The  CERT/CC  acknowledges  Bruce Leidl, Juan Pablo Martinez Kuhn, and
> :    Alejandro David Weil of Core Security Technologies for their discovery
> :    of  VU#139129.  We  also  acknowledge  Mark Dowd and Neel Mehta of ISS
> :    X-Force for their discovery of VU#916785.
> :      _________________________________________________________________
> : 
> :    Authors: Jeffrey P. Lanza and Cory F. Cohen.
> :    ______________________________________________________________________
> : 
> :    This document is available from:
> :    http://www.cert.org/advisories/CA-2003-13.html
> :    ______________________________________________________________________
> : 
> : CERT/CC Contact Information
> : 
> :    Email: cert at ...241...
> :           Phone: +1 412-268-7090 (24-hour hotline)
> :           Fax: +1 412-268-6989
> :           Postal address:
> :           CERT Coordination Center
> :           Software Engineering Institute
> :           Carnegie Mellon University
> :           Pittsburgh PA 15213-3890
> :           U.S.A.
> : 
> :    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
> :    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
> :    during other hours, on U.S. holidays, and on weekends.
> : 
> : Using encryption
> : 
> :    We  strongly  urge you to encrypt sensitive information sent by email.
> :    Our public PGP key is available from
> :    http://www.cert.org/CERT_PGP.key
> : 
> :    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
> :    information.
> : 
> : Getting security information
> : 
> :    CERT  publications  and  other security information are available from
> :    our web site
> :    http://www.cert.org/
> : 
> :    To  subscribe  to  the CERT mailing list for advisories and bulletins,
> :    send  email  to majordomo at ...7510... Please include in the body of your
> :    message
> : 
> :    subscribe cert-advisory
> : 
> :    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
> :    Patent and Trademark Office.
> :    ______________________________________________________________________
> : 
> :    NO WARRANTY
> :    Any  material furnished by Carnegie Mellon University and the Software
> :    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
> :    Mellon University makes no warranties of any kind, either expressed or
> :    implied  as  to  any matter including, but not limited to, warranty of
> :    fitness  for  a  particular purpose or merchantability, exclusivity or
> :    results  obtained from use of the material. Carnegie Mellon University
> :    does  not  make  any warranty of any kind with respect to freedom from
> :    patent, trademark, or copyright infringement.
> :      _________________________________________________________________
> : 
> :    Conditions for use, disclaimers, and sponsorship information
> : 
> :    Copyright 2003 Carnegie Mellon University.
> : 
> :    Revision History
> : April 17, 2003:  Initial release
> : 
> : -----BEGIN PGP SIGNATURE-----
> : Version: PGP 6.5.8
> : 
> : iQCVAwUBPp7GWGjtSoHZUTs5AQGmlAP+MWnegmA1Qft9AenH7xefffpEDVGDT+sl
> : T4iljwl/ySozE962r40mL4KCszZDPdwRW/MyMA7ZcFaoWbiZc/QrEhTa4A/YYJWC
> : A4kL1cEnM/LiQ7yYBSnJ6DIWDTo+M1PUS9so02M6a0f0e4jpzXZDJ5HmPDdo/aPq
> : NW70cU8gbgs=
> : =Vs2Q
> : -----END PGP SIGNATURE-----
> : 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 
Kevin J. Schmidt <kschmidt at ...468...>





More information about the Snort-users mailing list